


Institutional Archive of the Naval Postgraduate School 


Calhoun: The NPS Institutional Archive 
DSpace Repository 


Theses and Dissertations l. Thesis and Dissertation Collection, all items 


1986 


An investigation of multilevel security and its 
application in the Wargaming, Research, and 
Analysis (W.A.R)--lab. 


Wall, James A. 


http://hdl.handle.net/10945/21938 


Downloaded from NPS Archive: Calhoun 


| Calhoun is the Naval Postgraduate School's public access digital repository for 
uL D U DLE Y research materials and institutional publications created by the NPS community. 
a 3 Calhoun is named for Professor of Mathematics Guy K. Calhoun, NPS's first 
KN OX appointed — and published — scholarty author. 


| NJ LIBRARY Dudley Knox Library / Naval Postgraduate School 
411 Dyer Road / 1 University Circle 
Monterey, California USA 93943 








http://www.nps.edu/library 


dp atte app NT aa ee. ref s Ait, LEAL ded VN at ie LA Danara tari 
An nn 
Da A ATAR AA ma o Low ws d EE 
ie ELT I neh On 2 write NO ren faf a Pei rue A raped 
EP T LEAR a oo Pn is T" um 
mer LE. Ls - 
na rn pato APA, M md ae [ Mid aped. ® 
nr ne e peor do A a EL A PS 
= E PS MA Eo a r qe - 
—"—: E "t ED tea xd i m : us bn, a PA 
red rete ble - E A A EA la 
AS eT Te oa tt A 2 id ph ; m 
de M. rA « eerta ao td puce pedi m la 4." AR 
^ AA E ie n= bed Dd pu Cv asd impie erri eec 
gto d a h n rbi dpt E ie antes a erue Aroa 
> o a a ye mo parc Cn er piri etti re 
rtp eiii! 
i-r de dar Aper ey ree A t rrr D" 
AM Pe 


3 
» 
| 
' 
Hf 
i 
i 
| 
i 
i 
p 
{ 
n 
SN 
S 
H 
i 
| 
i 
ry 
| 
; 
di 
i 
| 
i 
| 
j 
y 


r A oy G rd 
d pte ér A E ri d Py dut ia poe tipico 3 boto pon 
AT rl EA TA D d : 
AE me or le und tf P edendi me E ee 
SpA Sapir er - 
^ ^ AAA p ad Can EnA E E Tap me 
AAA iA a o rari 
d AAA nv fy wv E eie 
orae iré ba eM met . 
— A o ae 
mem 


AS E Pew 
ast sca wf eat ut uam on ny seta: rd RR 
cid tes AD uoi mre ei A Lap vi daro Or Cad pane WI 
: rr A RA a e ^ podere TT rorem" dere A P ra d 
ad pa oa 7 “py PE e qe i ta z 
edi Paene Podio pap cd AA rd ea arts elt paper ee eaten — 
- E e dT CPT ane rr I II AL GE 9 E Pe pr ner GOT PN as nr th ts audi "a db — 
a: dei eed poro etri perra dr PEPE OT OS a te A dl ET iud por tind perdere rire PA al # ov ; E e lr ns o: A 
dw rV PEL poa A rd epi re gio to gan fo P usa die titi qM porri rt dtm , x 5 inira n tr Oe Mi rie ad 
A D eo oe perd A A RA rr pida cd pat SS foa rt API rarae Pe AA AA gp x A E = de S | d Prio A pir Pda qq od AMA 
| X de Dr eee a ns hdd fr aped A gd id pare dr auno EAS ARA : ip aide rh e E s m pine mri A 
Mor amar tim o php EE tn nd e aar e irha Memor md PRA AS A nd per ^ — «^ gio P NI aint a t nA à. bad be 
pra A ae PASA 1] pie as " 5 AA E A ad ted RDA do pb O abut Dd rm ¡ais 
E Sere A Pe PRA A Pa " f , 2 mq vem dia A ed PR AAA a dep A " a roe as 
eS. E 4 Perd pure pr wr Y emn ww auae warns a eredi E A E PARAR added AA jae AS RA a de bytes ^ A ' T d E 
among Peg mata d adl r : zi " qo P ed pap emo libet — i A er nes Rr Ee eR ET e Pr e : ev vA = A es 
aep asd Dinge p d A ai nd " <x i eC a ni AAA rl ap NT n ana Sig 
a > AAN ip ph a Dart rd hane cam 
[dud aap tgp hs AA is ¡ROPAS Si 
o A a ES 
pr de per m 


api pO n du ue ns PA eU qrdrar iude doi iod A A mci Oe rode ind Y rell Na to ABO AUN ep ASA apo ici aput Orr 
nga ma^ € Ile e s e 
PA AE dl Ad Oe Oe OO 
pe ee eee aid pi pont jeg epit nae ew i we ua a PA 
» dr rem re gira re d es rr A A pa As 
f A A a d 
s "m e Po 010 AS Y inl pt avo m Aro s 
hn OF ar gee pare m e n p — 
pil AS id da dba 94. nieder pad gh 
; D hte EE ede PUNT tes ORNA A rire 
" -- En thd Me í 
> góc acta pee PO A DR pora ed irn har tio 
ore NI ee s eaa, ros P pie T Af AM a s x - | oed Mt 
fy ^e Aye AKI tn Pre m PX by PRA aa peer dicio 
Pratis we wr eth e a 
nant did aA who A AR aedes 
E aput dp s Pup cic tidal acm : 
ent O rie as 
LI 


car e PAR Mam e TA I" 
A AA AA eaa uro ETE eh A ELA gen ne md I Pi Gira er eee nd pe A n En oven oe er N w AS a i BA rr aid 
p oa aad Nr a "—— ITCR Pl 
— apiid Seale thy io VERUS Mee 2 E e e Pp aon ded E enti we "- Dd ipd FREE d inum uem 
PP assu fuer ipai beg: pedestri hob qdo e A AS a o Ss 7 n 2 — iad ali es eg a A an DAD p AN 
A a A a t Cra E a Sia T A ee A rn m q Ad il 
> y PERALES Eb rr ot 
Ade rz y r A AA AAA " ái 4 
pa a e rd mA Pro "S PAR EA 
" " D pe MS "me A " uo eria: SA 
em x > E e er the ree ; 
rd ASIA A ana E 
BO enean bad. y > ah 
eee nm E ARAS a ise Ss me : 
pridie 
paeem a bed A Part pp : t : 
e 3An rte p pA CD 
ura de PAD 
id á bad 


A qun eti uta PER and Pros PAR PEE E is ddl at E d Ay io Wa Ag Mbs: 
M t aptam. pá A A dd > we ESA” dad To oen d Leine JANE "gro an 
iud o TA ma di Rab ^ ate e^t Ld baro iu eos 
Poser E » , id ini rust 
ee en tel ar area m eB eh d Scie oe Sige nmn ; fnm ar IE wr p ales ansa: pan 
Md mote: bad > P e mm 
AO A baba dict de - ga 
f á eee e e - 
n $ a at A e" y 
- peri ac drin ird AMEY Y f 
AA ah didi ; bos Mtn. reas 
« e ; LG > d pet 
ANA EN TE pd. x PA A d s 
y a at 
"- 


A e maed 


E eed 
A a UA xd 
D suited d ex EL LI 
O ae ated amm m cana ahh mh pnm x aie Ed P 
iras A m pd "Z4 PAD Ar 
del Must m ett e PAM A aids s 


pra Ae 
ASADA 


ee 
o is 


A A as 


e y AA ~ 
PE T E 4 


e Ld put utet apos n Jie 
= A bé 
TP LEE oat bu e P a ont 
pe PARDO AS 
y “r " d br A k y 
es m" » e” p 
. E "Tu. o HE a oe ie ^ 
e mer Hd ed - 
A e P didi EL anm 
r ra os additi 


E 
"Pi ddl 
EI AA dandi 


> 
¿rn e 


PT ne 


y 


poe 


PES 








ÉD -— 





NAVAL POSTGRADUATE SCHOOL 


Monterey, Galifornia 





THESIS 


AN INVESTIGATION OF MULTILEVEL SECURITY AND ITS 
APPLICATION IN THE WARGAMING, RESEARCH, AND 
ANALYSIS (W.A.R.) LAB 
by 


James A. Wall 


March 1986 


Thesis Advisor: Thomas J. Brown 





Approved for public release; distribution is unlimited. 





ECURITY CLASSIFICATION OF THIS PAGE 


j 


REPORT DOCUMENTATION PAGE 


1a. REPORT SECURITY CLASSIFICATION 1b. RESTRICTIVE MARKINGS 
UNCLASSIFIED 


2a. SECURITY CLASSIFICATION AUTHORITY 3 DISTRIBUTION / AVAILABILITY OF REPORT 


Approved for public release; 
distribution is unlimited. 





2b. DECLASSIFICATION / DOWNGRADING SCHEDULE 


| 


a PERFORMING ORGANIZATION REPORT NUMBER(S) 5. MONITORING ORGANIZATION REPORT NUMBER(S) 













53. NAME OF PERFORMING ORGANIZATION 6b. OFFICE SYMBOL 73. NAME OF MONITORING ORGANIZA TION 


| (If applicable) 
Naval Postgraduate School 74 Naval Postgraduate School 


x. ADORESS (City, State, and ZIP Code) 7b  ADORESS (City, State, and ZIP Code) 






Monterey, California 93943-5000 Monterey, California 93943-5000 


3a. NAME OF FUNDING /SPONSORING 8b. OFFICE SYMBOL 9. PROCUREMENT INSTRUMENT IDENTIFICATION NUMBER 


ORGANIZATION (If applicable) 





| 
3c. ADDRESS (City, State, and ZIP Code) 10 SOURCE OF FUNOING NUMBERS 
| 


PROGRAM PROJECT TASK WORK UNIT 
ELEMENT NO NO NO ACCESSION NO 
jd TITLE (Include Security Classification) 


AN INVESTIGATION OF MULTILEVEL SECURITY AND ITS APPLICATION IN THE WARGAMING, RESEARCH, 
'AND ANALYSIS (W.A.R.) LAB 


|2 PERSONAL AUTHOR(S) 
Wall, James A. 


3a TYPE OF REPORT 13b TIME COVERED 14 DATE OF REPORT (Year, Month, Day) |15 PAGE COUNT 
Master's Thesis FROM TO | 1986 March 93 | 


|6 SUPPLEMENTARY NOTATION 








7 COSATI CODES 18 SUBJECT TERMS (Continue on reverse if necessary and identify by block number) 
FIELO SUB-GROUP Multilevel Security, Security Kernel, Risk Assessment 





3 ABSTRACT (Continue on reverse if necessary and identify by block number) 
This thesis presents a discussion of automated data processing and storage in a 


[cm ME 


E ONLINE 


multilevel secure environment. The paper covers areas such as the design and 
implementation of a security Kernel; the DOD Computer Security Center's criteria for 


| 


trusted computer systems and networks; and risk assessment when processing and storing 


| sensitive or classified data. 

| One of the primary purposes of this paper is to: serve as a handy reference for 
¡students in the Command, Control, and Communications curriculum at the Naval Postgraduate 
School who will research multilevel security and secure guard applications following the 


acquisition of the Gemini Trusted Multiple Microcomputer Base for the Wargaming, Research, 


0 D'STRIBUTION / AVAILABILITY OF ABSTRACT 21 ABSTRACT SECURITY CLASSIFICATION 
DO UNCLASsIFIED/UNLIMITEO O same as Ret Doric users | Unclassified 


2a NAME OF RESPONSIBLE INOIVIDUAL 22b TELEPHONE (Include Area Code) | 22c OFFICE SYMBOL 
Thomas J. Brown 200904522772 62Bb 


!'D FORM 1473,84 MAR 83 APR edition may be used until exhausted SECURITY CLASSIFICATION OF THIS PAGE 
All other editions are obsolete 





| 


—— 


| 1 


SECURITY CLASSIFICATION OF THIS PAGE (When Data Entered 


19. and Analysis (W.A.R.) lab. 
Additionally, a risk assessment of the W.A.R. lab was conducted and 
the possibilities of converting the facility into a multilevel secure 


computing environment were investigated. 





-— - € — I A A S 0 


NN = va 
> N - VE c aM do Ac 


Lo MU A ——————————————— 
SECURITY CLASSIFICATION OF THIS PAGE(When Data Entered) d 


Approved for public release; distribution is unlimited 


An Investigation of Multilevel Security and Its Application 
in the Wargaming, Research, and Analysis (W.A.R.) Lab 


by 


James A. Wall | 
Captain, United States Army 
B.S., North Carolina State University, 1977 


Submitted in partial fulfillment of the 
requirements for the degree of 


MASTER OF SCIENCE IN SYSTEMS TECHNOLOGY 
(Command, Control and Communications) 


from the 


NAVAL POSTGRADUATE SCHOOL 
March 1986 


ABSTRACT 


This thesis presents a discussion of automated data processing and 
storage in a muitilevel secure environment. The paper covers areas such 
as the design and implementation of a security Kernel; the DoD Computer 
Security Center's criteria for trusted computer systems and networks; 
and risK assessment when processsing and storing sensitive or classified 
data. 

One of the primary purposes of this paper is to serve as a handy 
reference for students in the Command, Control, and Communications 
curriculum at the Naval Postgraduate School who will research multilevel 
security and secure guard applications following the acquisition of the 
Gemini Trusted Multiple Microcomputer Base for the Wargaming, Research, 
and Analysis “W.A.R.) lab. 

Additionally, a risk assessment of the W.A.R. lab was conducted and 
the possibilities ot converting the facility into a multilevel secure 


computing environment were investigated. 


TABLE OF CONTENTS 


I. IDUNUDUEIMM NLIS —-------2955-^------2u239899---—7----————-- 10 
A IET ESA RS? ECTS == === O O 10 

SA e iia ÓN 11 

A SE Se CU M S -------------922223533897--7---- 11 

PS A Mode Ss Otel petal ON) aa areca aoa SSS a 12 
A Es SA A + 1> 

en Ca t On a n is 

CODE VERO RNENT OF MULTI ESE CURE SS IS MENS.=>===========2=- 19 

E MEE == Sage PI e 17 

I1. SECURITY KERNEL DESIGN àND IMPLEMENTATION ------------------- 15 
A E RE ERENCE MONTOR CONCEPT -San ARE NN Ag 

E EA EA E e O oa — ~~ aoa ----=----- dy 

DES EEN TE RULES === SS = 2d 

1. Security Kernel Design and Implementation ---------- e 

Ze F Neea l ee e o a SS SS a 36 

E DE DATRUSTED COMPUTER SYSTEMS AND NETWORKS ------------------ zy 
SO UTE SS EMS NE ee en 3i 

IU amen cae quiten == O SS aaa 34 

PM oL a e O O O O 34 

B. TRUSTED NETWORK SYSTEMS -------------------------------- 3g 

1. Fundamental Requirements --------------------------- 40 

A A a om eee 41 


Cn 


IU. RISK ASSESSMENT ------22 29. n 44 


A. RISK MANAGEMENT --=============225*= 2255 E 44 
B. RISK INDEX 55 5 0559909 LALOOLÁLE 45 
C. SECURITY ENVIRONMENT ==================——— e e A LLLL)LLLLLL SU 
1. Open Security Enviar ome ae EU E 30 
2. Closed Security Environment "== NN 33 
D. ANOTHER APPROACH FOR RISK ASSESSED ec LAO S 
1. Applying Security Requirements === E 37 
2. Identifying the Risk Factors "SST aaa ól 
3. Applying the Risk Factors -~--- O ód 
V. MULTILEVEL SECURITY IN TRE WA. Rig LAB Sess Sesser >= 1 IL LA 66 
A. THE W.A.k.. LAB. =-===-=-===5==--=-==== ===> === ÓN óó 
B. THE GEMINI TRUSTED MULTIPLE MICROCOMEDT ER DOSES 67 
C. RISK ASSESSMENT IN THE W.B*9k. LABU----S9E- 1 63 
lo” Current Assessment. ==-=*=-===-=-= nmn ee 68 
2. Proposed W.A.R. Lab Operations ===>" eee ee S? 
D. INTEGRATION OF THE GEMINI COMPUTER INTO THE W.A.R. LAB - 73 
l.. The Gemini Computer as a Secure Guard -——-—-— LLL ER 
2. The Gemini Computer as a Basis for Multilevel 
SO CURT EY == ES += O E 24 
VI. CONCLUSION == === O O SÓN 76 
A.  EONCLUDING REMARKS  ===-=-============== E ró 
B. RECOMMENDATIONS FOR FOLLOU-ON STUDY 111 11 qe 
APPENDIX A - SECURITY MODES OF OPER T Ds ie LLLI ET 22 
APPENDIX B - SECURITY ELEARANCES --—-——— 5... LLL Lu LLLLZEE 30 
APPENDIX C - PROJECTS TO DEVELOP TRUSTED SYSTEMS LLl1ll1ll]l]"^| ^^ 52 


Eee DEW a de COMPUTING RESOURCES ---------------------- 87 


APPENDIX E - THE GEMINI TRUSTED MULTIPLE MICROCOMPUTER BASE PRODUCT 


DESCRIPTION ----------------------------------------- 89 
LIST OF REFERENCES ----------------------------------------------- 91 
INITIAL DISTRIBUTION LIST ---------------------------------------- 92 


LIST OF TABLES 


RATING SCALE FOR MINIMUM USER CEEARANEE ——--————— e LLL 4? 
RATING SCALE FOR MAXIMUM DATA SENSITIQITY —-————_ LL LL 43 
SECURITY RISK INDEX MATRIX ---——————— ucc E 49 


COMPUTER SECURITY REQUIREMENTS FOR OPEN SECURTTY 


ENVIRONMENTS ---------------------------------------------- 52 
SECURITY INDEX MATRIX FOR OPEN SECURITY ENVIRONMENTS ------ 53 
COMPUTER SECURITY REQUIREMENTS FOR CLOSED SECURITY 
ENVIRONMENTS ---------------------------------------------- Sn 
SECURITY. INDEX MATRIX FOR CLOSED SECURITY ENVIRONMENTS ---- 59 
PROCESS COUPLING RISK ------------------------------------- é5 
SYSTEM RISK ----------------------------------------------- $5 
MAPPING SYSTEM RISK AND DATA EXPOSURE TO GRANGE BOOK 

LEVELS ---------------------------------------------------- 65 
COMPLETED PROJECTS TO DEVELOP TRUSTED SYSTEMS ------------- 83 
PROJECTS UNDERWAY TO DEVELOP TRUSTED SYSTEMS -------------- 84 
ABBREVIATIONS USED IN APPENDIX C -------------------------- 8é 


LIST OF FIGURES 


A A O mer es Sa e mim 


Structure of a Kernel-Based Operating System ---------------- 


ROCCA lx meeess Diagram ~ += === == == SS === 2 


Development and Verification Hierarchy ---------------------- ape 


Trusted Computer System Evaluation Criteria Summary Chart --- 


Steps in Applying Guidance ---------------------------------- 


I. INTRODUCTION 


The rapid expansion of intormation systems and networks in the 
command and control world have made them a critical link in the national 
defense. "Computers . . . speed and unfailing accuracy make them well 
suited to the massive information handling tasks in battle management 
tor: shared intormation storage, retrieval, and dissemination systems; 
rapid and common data processing systems; and efticient and reliable 
communications process control." (Ret. 1:p. 2711] Untortunately, the 
rapid pace ot technological breakthrough in computing systems has tar 
outpaced developments in computer security. Abuses of computers that 
were not designed trom the ground up to provide security currently 
represent a major problem. For these systems, a great need exists tor a 
tront-end processor to authenticate and control access to the system or 
its resources. 

A. HISTORICAL PERSPECTIVE 

In the mid-1750%s to the early 19760’%s, data processing was usually 
contined to a single center. Programs were brought to the computer 
center in the form of card decks. These programs were batch processed 
and any sensitive or classified data could be purged prior to the next 
user. Since there was no sharing of resources, physical security of the 
sensitive or classified data and assurance of a cleared memory were the 


major components ot any security policy. 


As more powerful and faster computers emerged in the mid-1796U“z, 
"operating-systems" evolved to allow multiple users. This was a result 
of the computers” cost and the fact that human operators were too slow 
to efficiently employ the machines. Simple operating systems selected 
which jobs would run on a priority basis. More dynamic operating 
systems allowed several jobs to run at the same time by the use of 
"multiprogramming". Even more sophisticated yet were operating systems 
that allowed "time-sharing". Many users were allowed access to the 
computer through remote terminals. Although all of these users were 
being serviced at the same time, each user had the illusion ot being 
connected to a dedicated computer. The computer was now under the 
control of a computer operating system rather. than the user. These 
privileged operating systems soon became the target oft malicious users 
who wanted to penetrate the operating system and share their privileges. 
Suddenly, computer security became an issue. The need for "trustworthy" 
operating systems was apparent. 

B. COMPUTER SECURITY 

"Computer security is the protection of computing assets or 
resources and computer-based systems against accidental and deliberate 
threats whose occurrence may cause losses due to those systems’ 
non-availability, lack of integrity, or lack of confidentiality." 
eer, 2:p. 7] 

1. Physical Security 

This is the most basic security requirement and should be 
attorded to all computer systems with considerations qiven to both the 


internal and external environments. The degree to which physical 


security is insured is dependent upon the value ot the data being 
protected. Essentially, most ot the considerations given to the 
physical security of computers is not unique to computers and is closely 
related to the security given classified documents. 

2. Security Modes of Operation 

Information can also be protected from compromise by the 
particular security mode of operation that is selected. The Department 
of Defense recognizes five distinct security modes oft operation. These 
modes are enumerated in Appendix A. Security modes of operation tall 
into one ot two general categories: dedicated usage or shared resources. 

In the dedicated mode, access to the computer system i5 
restricted to an individual user or homogeneous group of users that have 
access to all the information that is processed or stored on the system. 
There is no danger that subversion or failure of the computer will 
result in the compromise of sensitive intormation. The computer 
security problem in this category is one of physical security and 
personnel screening. 

Resources are most often shared among groups of users with a 
common level of trust to add some flexibility to the dedicated mode. 
Again, physical security and personnel screening are paramount to such a 
security policy and all resources/terminals tied to the system must be 
afforded the same degree of protection. Today’s problem is one of being 
able to share computer resources among users or groups ot users that do 


not share the same level of trust ‘multilevel security). 


3. Communications Security 


Remote and interactive access to computers give rise to 4 new 
threat to information security. Information that is being transmitted 
through any medium is susceptible to interception. The most common 
means to combat this threat is data encryption. This technique involves 
the use of encryption algorithms usually seeded by some variable Key to 
produce unintelligble code prior to transmission. This code can then De 
deciphered upon receipt. 

although not strictly a communications security problem, 
emanations security (TEMPEST threat) is mentioned at this point because 
the same principles ot sending and receiving electromagnetic signals are 
involved. Emanations are electromagnetic energy by-products of 
computing devices that are usually most severe when communicating wi th 
peripherals. These emanations can be detected by sensitive devices tor 
several hundred yards. Cathode ray tubes (CRT^s) are especially noted 
for their signatures. Protection, such as shielding, is technically 
simple But otten awkward and expensive and operationally complex. 

d, Authentication 

Authentication systems have been in use tor a relatively long 
time. They are absolutely essential as an access controller in an 
environment of shared resources. The most commonly used is that of the 
password. "The password serves essentially as a "combination" to a 
"lock" allowing access to the system." (Ret. itp. 274) This type of 
approach is particularly vulnerable when simple passwords are used, 
compromise of the password is allowed, or a computerized password 


generator is used to determine the password ‘especially if the system 


does not time out atter a number of attempts). Finally, this type ot 
access control permits or prevents access to the computer system, but it 
tails to distinguish between the various authorized users. This 
tunction is dependent upon the internal controls ot the computer itself. 

This technical weakness can be overcome by the development of a 
well-+ormulated security policy that is conveyed to the system 
designers. The system can then enforce access control mechanisms based 
on the authorizations it has been given. A trusted system is the result 
when this process has been successtully accomplished and a well-detined 
policy regarding access to sensitive intormation is entorced by the 
system. 

The main requirement for a security policy that is to be 
integrated into a trusted system is the need for security "labels" for 
all information to indicate its sensitivity and for all users to 
indicate their authorization for ice Recent research has shown that 
an effective labelling policy can be implemented with a two-part label. 
"Ihe first part represents a hierarchical sensitivity level, such as 
contidential, secret or top secret; the second, user community of 
interest or compartment label." ERet. Tore iaa) 

an operating system must maintain these labels internally ia 
that it can entorce the security policy. The technology is currentl» 
available, along with mathematical models and formal specifications, 10 
accompl:sh this task. The most predominant approach is that of the 
security Kernel ‘to be explained later). Honeywell Intormation Systems, 
Inc. and Gemini Computers, Inc. are on the cutting edge ot this 


technology and are among the tew vendors actively marketing such trusted 


14 


systems. This paper concentrates on these trusted systems and their use 
as a multilevel security system and/or a secure guard. 
DEVELOPMENT OF MULTFIEEVEL SECURE SYSTEMS 

The need tor systems that can provide a multilevel secure 
environment have been well established as a result ot the advent of 
distributed computing systems and shared resources. Alternatives 
Kbenign environment or "system-high" concept) to such systems are 
unacceptable for many Department of Defense applications. The 
alternatives to a multilevel secure system are detined in DoD Directive 
2900.28: 


a. clearing all users to the highest level of information on 
the system and processing all work at that level, or 


b. processing jobs oft different levels at ditterent times - 
requiring a complete system change or sanitization each time 
the level is changed. 
A system operating in either of these unilevel modes is usually 
operating "system high." Either of these choices is inefficient and 
costly. 

In 1768-1974, "Tiger Teams" were  tormed to attempt penetration of 
access control mechanisms of existing operating systems. Remarkably. 
penetration was accomplished on every commercial operating system. The 
research community became so concerned that public awareness was 
heightened and such issues were the impetus tor the development of the 
security Kernel which provides the basis tor multilevel security. 

In 1972, the Air Force Electronic Systems Division *ESG) canductea 
an in-depth analysis of the requirements for a security system. The 


basic concept of a reference monitor or a security kernel was the 


result. This concept was the foundation for work at the Massachusetts 
Institute of Technology, the MITRE Corporation, and Honeywell 
Information System to begin restructuring the MULTICS operating system. 

In 1977, the Department of Defense initiated an effort to produce 
the DoD Kernelized Secure Uperating System (KSOS) which would emulate 
the UNIX operating system. The UNIX operating system was chosen because 
of this operating systems use on the popular PDP-11 series ot 
computers. The implementation phase was contracted out to the Ford 
Aerospace and Communications Corporation in May, 1973. This project 
became known as KSOS-11 and further development ot the operating system 
was oriented towards the DEC PDP-11/70. 

In a Joint effort with the Air Force, Honeywell Information Systems 
begen developing |K5g5-ó in Üctober, 312225 This effort was a 
continuation of the restructuring of the MULTICS operating system. 
Research was stop and qo based on budgetary and other limitations. 
However, a standard commercial product called the Secure Communications 
Processor :S5CUMP) was the final result. The system if based upon 
Honeywell’s DPS 6 is bit minicomputer and the MULTICS operating system. 
SCUÜMP has been verified bv» the DoD Computer Security Center as having an 
Al level of security. A discussion of the DoD Computer Security 
LCenter^s criteria for the various levels o£ security will be presented 
in Chapter 531 
Une of the latest systems to be ftielded is the Gemini Trusted 
Multiple Microcomputer Base by Gemini Computers, Inc. A microcomputer 
was chosen as the base because it holds great promise serving as a 


front-end processor because of its physical separation and its small 


16 


operating system. In the role as a front-end processor tor 
communications, it can easily handle encryption, decryption, and sending 
and receiving. This system is currently being evaluated for a B3 level 
of security and will be discussed later in this paper. 

Much research on multilevel secure and Quard systems was done 


concurrently with the above efforts and much has been done since. For 


fp 


more complete look at these and other eftorts, reter to Appendix 


Ca 


[Ret. 3: pp. 90-93). This information is current as of July 1783. 
DOE OBJECTIVES 

The primary objective of this paper is to serve as a reterence on 
the concept of multilevel security for students in the Command, Control, 
and Communications curriculum at the Naval Postgraduate School who will 
conduct research on the Gemini Trusted Multiple Microcomputer Base that 
is scheduled to be purchased for the W.A.R. lab during the current 
tiscal year. Additionally, an investigation will be conducted to 
determine the utility of this system «other than research? in the lab. 

Since the reterence monitor concept tand specitically the security 
Kernel) is the most widely accepted mode | for multilevel systems, a 
discussion of the design and implementation of such models will te 
presented. This discussion details the requirements tor the security 
kernel and presents various veritication techniques. 

The combination of hardware and software dor the purpose of 
entorcing a security policy is the basis for the trusted computer system 
or network. The criteria established by the Department ot Detense 
Computer Security Center tor evaluating these trusted systems is 


examined in detail since they have tremendous impact on all computer 


1 


systems and networks in the Department of Detense that process or store 
sensitive information. 

Much ot the information concerning trusted computer systems and 
networks is necessary for the understanding of the discussion of risk 
assessment. Risk assessment is an attempt to evaluate the level of risk 
inherent to a system based upon the computing environment. Two methods 
of risk assessment will be compared and contrasted. Risk assessment 
usually involves determining the security level of the user and the 
sensitivity of the information that is being stored or processed on a 
system. Throughout this paper the term "security level" will be used to 
denote the combination of clearance ‘or classification) and formal 
compartment (or category set). Appendix B lists the security clearances 
currently recognized by the DoD Computer Security Center. 

Finally, a risk assessment of the Wargaming, Research, and Analysis 
(W.AA.R.) Lab will be presented. These findings will help m. af 
investigation of the integration of the Gemini Trusted Multiple 


Microcomputer Base into the W.A.R. lab 


II. SECURITY KERNEL DESIGN AND IMPLEMENTATION 


A review of design and implementation guidelines for the security 
kernel is relevant for any discussion of multilevel security. Most 
experts agree that, at the present time, the security Kernel concept 
(introduced by Roger R. Schell in 1972) is the most viable approach to 
meeting security requirements wherever the need exists for a system that 
processes shared information. In 1974, MITRE successfully tested a 
security Kernel consisting of only twenty primitive subroutines to 
manage physical resources and enforce protection constraints to prove 
that this concept was valid. 

A. THE REFERENCE MONITOR CONCEPT 

The security kernel approach is based on the reference monitor 
concept adapted from the models of Butler Lampson (Figure 2.1) (Ret. 4: 
p. 151. "A reference monitor is a computer system component that checks 
each reference by a subject user or program) to .an object ‘file, 
device, user, or program) and determines whether the access is valid 
under the systems security policy. To be effective, such a mechanism 
must be invoked on every reference, must be small enough so that ¡ts 
correctness can be assured, and must be tamperproof." [Ref. 3:p. 88] 

The security Kernel can best be described as the hardware and 
sottware that transforms the abstract concept of a reference monitor 
into the reality ot a functional security system ‘Fiqure 2.2) [Ret+. 4: 


p. 171. During the design and implementation of the security kernel, 






REFERENCE MONITOR DATABASE 


USER ACCESS, OBJECT 
SENSITIVITY, MEED- TO- ARM. 


Figure 2.1 - Reference Monitor 


APF CATIONS L o 


(1] KERHEL INTERFACE 


(2) OPERATING 
INTERFACE 


[3] USER. INTERFACE 






TRUSTED 
SUBJECTS 


= TRUSTED 
A USERS 


Figure 2.2 - Structure of a Kernel-Based Operating System 


total adherence to the following three engineering principles must be 
observed - completeness, isolation, and veritiability. Every access to 
system information must be mediated by the Kernel ‘completeness). The 
Kernel must also be sufficiently protected to prevent tampering 
(isolation>. Finally, there must be a close correlation between the 
formal security policy and the effectiveness of the security kernel 
Cverifiability). The completeness and isolation -requirements are best 
met with hardware foundations and verifiability strenqthened by a formal 
development methodology (Ref. 4:p. 15]. 

When the need for a "Secure" system arises, a list of demands that 
would insure the desired level of security must be established. Once 
this has been accomplished, these demands provide the basis for the 
establishment of a formal security policy. All the See Soe modes of 
access between all subjects and objects must be addressed. These steps 
must precede the development of a Kernel-based system and this formal 
policy is a primary distinction between the security Kernel-based system 
and other efforts to develop security-relevant operating systems. 
Concisely, the development of the security Kernel-based system 
encompasses both policy and mechanism. 

The security policy is best described by a set of mathematical 
relationships which provide the basis for a formal security model. In 
order to be sufficient, the model must define the overall protection 
behavior of the system as a whole and present a "security theorem" to 
insure that the behavior of the model always complies with the security 
requirements of the applicable policy [Re+. 4:p. 15]. The policy must 


also address both discretionary access rules ‘applicable to all users) 


Ži 


and nondiscretionary access rules (optional rules applicable to certain 
users), 
1. The Bell and LaPadula Model 

The model most widely used for security Kernel development is 
referred to as the Bell and LaPadula model which is the product of early 
security Kernel work at MITRE and Case Western Reserve University. This 
model represents the Kernel as a finite state machine and defines rules 
for allowable transitions trom one secure state to another. Within the 
model, an access class (a security identitier) is assigned to each 
subject and object of the reference monitor. Allowable access to 
objects is made by comparing the access class of both subjects and 
objects at each transition state. The access classes are orqanized in a 
mathematical structure called a lattice or protection matrix. The 
lattice arrangement defines relationships among the access classes to 
determine if one access class is greater than, less than, equal to, or 
not comparable to another class. 

Figure 2.3 [Ref. 5:p. 212] shows a hypothetical representation 
Of a protection matrix access diagram located within a security Kernel. 
In this example, User B is considered to be the system administrator. 
It is clear that his privileges far exceed those of User A. Also, this 
representation shows that other programs or +unctions, such as the 
Editor Command Module, are allowed to operate within established limits. 
Such an access matrix must reside in the security kernel to insure its 
integrity. 

The model contains two +undamental nondiscretionary rules - 


simple security condition and *-property. The simple security condition 


HA 
nh 


1f133x3 


lg 3113 





19 3113 


01138 
43183 
43113 


301103 


318001 
OHH WO 
43113 


331113 


H31345 
-g$ 
JH T 3RHS 
311 


Figure 2.3 - Protection Matrix Access Diagram 


23 


allows a subject at a given security level to have read access only to 
objects at the same or lower security levels (no read up). Simply 
stated, this rule prevents unauthorized personnel from directly viewing 
information for which they do not have proper access. The *-property 
prevents a subject from having write access to objects at lower security 
levels (no write down). This rule was established to combat "Trojan 
horse" software and prevents users from unauthorized indirect viewing of 
information. 

The model also includes rules to protect the inteqrity of the 
systems information and to prevent improper alteration. Subjects of 
one access class cannot alter objects located in a higher class. 
Conversely, a subject of one access class cannot be altered by objects 
Of a lower access class. 

Provisions also exist in the model for discretionary access. 
Authorized users and programs can arbitrarily grant and revoke access to 
information based on user names or other information. 

One limitation of the Bell and LaPadula model, as with most 
other models, is the lack of safeguards against denial of service. 
Denial oft service is the threat of intentional or unintentional 
disruption or degradation of service. However, the inclusion of a 
security kernel does not affect the system’s susceptibility to the 
threat of denial of service. This shortcoming is attributable to the 
difficulty of establishing a mathematical model to represent the rules. 
B. THE DEVELOPMENT PROCESS 

Once a security policy has been formalized and an appropriate model 


has been selected, the development process must be divided into small 


24 


increments for implementation. “One common technique is to apply a 
hierarchy of abstract specifications to the design of the security 
kernel. For each step, it is important to demonstrate security so that 
we have confidence in the security of the final system." (Ref. 4:p. 16] 
Figure 2.4 is a depiction of the integration of the model, the hierarchy 
of specifications, and the high-level language implementation (Ref. 4: 
Do ER 

Three classes of formal verification techniques during the kernel 
development process are also shown in Figure 2.4. The first class is 
used to prove that the Kernel responds as outlined in the formal 
high-level interface specification. Security flow analysis is often 
used to analyze information flow in a specification. The second class 
of verification tests the correctness of mappings between intermediate 
specifications in the hierarchy and interface specifications. The third 
and most traditional technique is the verification of implementation to 
specification. 

The Kernel provides a relatively small subset of the operating 
system's functions. The kernel primitives that provide the interface of 
this subset to the remainder of the operating system are often referred 
to as the supervisor.  General-purpose operating system functions used 
by the applications are provided by the supervisor primitives. 

Functional areas such as process management, file system management 
for segments, and 1/0 control comprise the operating system. Each of 
these areas possibly have security relevant functions that must be in 
the security Kernel. The policy model should identify these security 


relevant functions. Of particular importance is the Kernel’s role in 


SECURITY 


POLICY 
MODEL 











VERIFICATION OF 
SPECIFICATION TO 
MODEL 


HIGH-LEVEL KERNEL 
INTERFACE 
SPECIFICATION 














INTERMEDIATE 
CORRESPONDENCE 
PROOFS OR MAPPINGS 


LOWER LEVEL 
DETAIL 
SPECIFICATIONS 













VERIFICATION OF 
IMPLEMENTATION TO 
SPECIFICATION 


KERNEL HIGH-LEVEL 
LANGUAGE 
IMPLEMENTATION 


Figure 2.4 - Development and Verification Hierarchy 


26 


managing system resources such as memory and disk space that are shared 
by multiple users. These functions are located in the Kernel because 
they must be virtual (realized by the combination of hardware and 
software) in order to hide their location from untrusted software. It 
is permissible for any utility controlling anything not shared by users 
to be located outside the Kernel (in the supervisor). 

The basic security model that has been described thus tar is 
rudimentary and most likely the greatest need exists for a system that 
can be tailored to meet specific requirements that may change trom time 
to time. A Kernel that is written so that it is adaptable usually has a 
group of interfaces that can be invoked by individuals/programs with 
special privileges - trusted subjects. Internal identifiers such as 
privilege indicators allow actions such as certain system maintenance 
activities and access control for nontrusted subjects “Figure 2.2) 
[Ref. 4:p. 171. Trusted subjects utilize trusted processes and trusted 
functions to perform such routine tasks as maintenance of the system'< 
access roster and the upgrading or doungrading of classified material 
when appropriate. 

1. Security Kernel Desian and Implementation 

The design of the security Kernel can approach two extremes when 
considering the degree to which the Kernel implementation is to be 
founded in hardware. At one extreme, the Kernel is entirely written in 
software and can be run on any conventional machine. In this case, the 
Kernel interprets every user instruction and disallows direct user 
instructions to hardware. The only hardware involvement is its 


execution of the Kernel software. The other extreme is the total 


implementation of the Kernel as hardware instructions which places 
absolute responsibility +or security on system architecture. Obviously, 
tradeoffs must be made between hardware and software with respect to 
complexity, size, and performance. 

Specific hardware and software mechanisms from four general 
architectural areas have contributed to varying degrees to supporting a 
Kernel-based general-purpose operating system. These four architectural 
areas are: explicit processes, memory protection, execution domains, and 
I/O mediation (Ref. 4:p. 18]. 

Explicit processes refer to the need for support for multiple 
processes ímultiprogramming? and interprocess communications. Access 
decisions for subjects are made on the basis ot the users 
identification and access class. These two identifiers must be 
impossible to counterfeit and are tied to each process. In 4% in-line 
system, multiple users must be serviced, thus the Kernel must support 
multiple simultaneous processes. This creates the need for a greater 
number of process switches and makes efficient process-switching 
mechanisms such as high speed memory more desirable. | 

Memory protection requires large segmented virtual memory, 
access control to memory, and explicitly identified objects. Memory is 
the usual realization of the reference monitor concept ot storage 
object. Virtual memory and the use of some form ot descriptor are 
commonly used together to serve as an interpretive mechanism to mediate 
all access to memory. 

All information within the system must be represented by 


distinct, identifiable objects. The virtual address space of an object 


28 


includes more than one object. Each has its own distinct logical 
attributes such as size, access mode, and access class. This logically 
distinct memory is called a seqment. 

Virtual memory segmentation is usually supported by hardware. 
The mapping for segments to virtual address is controlled by a 
descriptor. This descriptor has not only logical attributes but 
contains both a physical base address and a segment size which uniquely 
identifies each segment. The segment descriptor must support the access 
modes of at least null, read, and read-write for each segment in order 
to provide adequate discretionary and nondiscretionary access policies. 
These segment descriptors are managed by the security Kernel sottware. 
However, the address-mapping hardware still plays a significant role. in 
the actual access mediation process. 

Although access to segments is dependent upon unique 
descriptors, the possibility of an unintentional leakage ot information 
by use of control information such as file names and attributes and 
system variables maintained within the Kernel database still exists. 
ct design and verification techniques can prevent or detect this 
deticiency. The discover» of such a leakage channel late in the 
Kernel^s development is a formidable problem tor the Kernel desianer. 

Execution domains are necessary for the isolation and 
protection of the security Kernel mechanism. In order for security 


Kernel tunctions to be invoked, the total address space of the process 


must include the programs and data of the security Kernel. When the 
process must access segment descriptors, it is necessary tor this 
execution to take place in the Kernel only. This requires a separate 


2a 


execution domain for the security Kernel. It is also desirable to Keep 
the supervisor separated from the applications software. A domain 
structure with three hierarchical domains (Kernel, supervisor, and user) 
is necessary to Keep the user anc the operating system separated. 

Efficient transfer of control between domains is a desirable 
feature because of the vast number of calls a process makes to the 
Kernel and the supervisor. Access to the most privileged domains of the 
system must be characterized by a few, carefully defined entry points or 
security will reduce speed dramatically. 

Input/Output mediation can best be handled by a hardware 
architecture (e.Q., 1/0 processor) that allows direct user or supervisor 
domain access to 1/0. This requires the use of a descriptor to control 
access to devices similar to the descriptors used for access to memory. 

2. Verification 

The final comment about security Kernel design and 
implementation concerns verification. Verification technology has not 
fully matured and is limiting. At the present time, the greatest degree 
of success has been associated with specification veritication such as 


the flow analysis method mentioned earlier in Section B of this chapter. 


30 


III. DOD TRUSTED COMPUTER SYSTEMS AND NETWORKS 


Two publications having possibly the greatest impact on multilevel 
security in computers and distributed systems of computers or networks 
are products of the Department of Defense Computer Center located at 
Fort Meade, Maryland. They are the Department of Detense Trusted 
Computer System Evaluation Criteria (CSC-STD-001-83) dated 15 August 
1983 and the Department of Detense Trusted Network Evaluation Criteria 
(currently in Draft) dated 29 July 1985. These two publications will be 
discussed in some detail since the blueprint for all acceptable systems 
must conform to these criteria and the current vernacular of trusted 
systems can be traced to these documents. 

A. TRUSTED COMPUTER SYSTEMS 

The publication, Department of Defense Trusted Computer System 
Evaluation Criteria was written by the Department of Defense Computer 
Eit Center in accordance with DoD Directive 5215.1, "Computer 
Security Evaluation Center." The purpose of document is to establish a 
"uniform set of basic requirements and evaluation classes for assessing 
the effectiveness of security controls built into Automatic Data 
Processing ‘ADP) systems." (Ret. 6: p. i] Any ADP system used for the 
processing and/or storage and retrieval ot sensitive or classified 
information by the Department of Defense is to be evaluated using the 
criteria defined in the document. This publication is commonly referred 


to as the “orange book." 


31 


Many of the criteria presented in this publication originated from 
work done by the MITRE Corporation and the National Bureau of Standards 
«NBS? prior to the formation of the DoD Computer Security Center in 
January 1981. These standards fulfill two distinct sets of require- 
ments: 1) specific security feature requirements; and 2) assurance 
requirements. The specific security features are primarily oriented 
towards information systems employing general-purpose operating systems 
rather than applications programs being supported. The assurance 
requirements are applicable for all computing environments ranging +rom 
dedicated controllers to full range multilevel secure resource sharing 
systems (Ref. ó: p.21]. 

1. Fundamental Requirements 

A secure computer system must limit access to intormation and 
allow properly authorized individuals or their appointed represenatives 
only to read, write, create, or delete information. Six fundamental 
requirements are presented as absolute essentials in obtaining such a 
secure system. Four of these requirements deal with the actual needs to 
be provided to control access to intormation and two deal with 
assurances that this access to information is in fact being controlled 
and that a trusted computer system exists. 

The first two requirements involve an organization’s policy 
towards computer security: 
Requirement 1 - Security Policy 

The system must be capable of enforcing an explicit and 
well-defined security policy to insure that only personnel with proper 
access (to include discretionary access) are allowed access to the 


system. Security policy design should be influenced by the perceived 
threats, risks and goals of the organization. 


There are two types of security policy to be considered: 
mandatory security policy and discretionary security policy. Mandatory 
security policy establishes a set of rules that permits or denies access 
to material based directly on the individual’s clearance or 
authorization. Discretionary security policy takes the permission or 
denial of access one step further and is the principal type of access 


control available in computer systems today. Not only must an 
individual be authorized access to information, but a need-to-know 
requirement must also exist. It is important to note that a 


discretionary policy is to be developed in addition to the mandatory 
policy and not as a substitute. 


Requirement 2 - MarKing 

Objects must be marKed with access control labels that conform 
to the mandatory security policy. These labels must identity the 
sensitivity or classification of the object and the mode of access tor 
authorized users. Whether used internally or as output, accuracy and 
integrity of the security labels is paramount. 


The third and fourth requirements are concerned with 
accountability: 


Requirement 3 - Identification 

The computer system must be able to mediate access to 
information by identifying authorized users and determining their level 
of clearance and their need-to-Know. Once identification otf the user 
has been established, there must be a means of authentication. 


Requirement 4 - Accountability 

Audit information must be recorded so that all transactions 
attecting system security can be traced to the responsible party. This 
information loa must be protected from any tampering that would alter or 
delete such an audit trail. 


The final two requirements involve assurance that the computer 
system is secure: 


Requirement 5 - Assurance 

The computer system must contain hardware/software mechanisms 
that can be individually evaluated to assure adherence to Requirements 
ld, Two types of assurance are needed: life-cycle assurance and 
operational assurance. 

“Life-cycle assurance refers to steps taken by an organization 
to insure that the system is desiqned, developed, and maintained using 
formalized and rigorous controls and standards...Operational assurance 
focuses on features and system architecture used to insure that the 
security policy is uncircumventably enforced during system operation." 
(Ref. ó:p. 601 


33 


Requirement 6 - Continuous Protection 

The computer system must continuously provide the protection 
outlined in these fundamental requirements before itt can be judged a 
trusted system. 

2. The Criteria 

The criteria set forth by this publication are divided into four 
hierarchical divisions: à: Verified Protection, B: Mandatory Protection, 
C: Discretionary Protection, and D: Minimal Protection [Ref. ¿:p GAN 
They are arranged from the highest level of security to the lowest level 
respectively. The step up from one Division to another represents a 
significant increase in security. Divisions B and C are further 
subdivided into classes that are arranged in a hierarchical manner based 
on the security mechanism that they possess. A rating for a particular 
system is based on thorough testing of the security- relevant portions 
of that system. The security-relevant portion of the system is spoken 
of collectively as the Trusted Computing Base ‘TCB). Each class is 
described by four major sets of criteria: Security Polito E 
Accountability, Assurance, and Documentation. 

Division D: Minimal Protection has only one class and is 
reserved for systems that have been evaluated, but failed to achieve the 
standards of a higher class. 

Division C: Discretionary Protection contains two classes that 
provide discretionary access to information and the means to audit and 
account for such usage. The two classes are: Class Ci: Discretionary 
Security Protection and Class C2: Controlled Access Protection. 


The Trusted Computing Base <TCB) of Class Cl satisfies 


discretionary access requirements by separating users and data. The 


Class Cl environment is expected to be one of cooperating users 
processing data at the same level of sensitivity [Ref. ó:p. 12]. 
Identification and authentication are required to determine authorized 
individual or group users. 

The discretionary control of Class C2 is made more positive 
through login procedures, auditing of security-relevant events, and 
resource isolation. The emphasis i¢ on the individual user in this 
class. By limiting usage to individuals or groups of named individuals 
accountability for sensitive data is more easily maintained. 

Division B: Mandatory Protection contains three classes that 
are characterized by a Trusted Computing Base ‘TCB) that preserves the 
integrity of the security labels and uses them to enforce a set of 
mandatory access control rules by .using the reference monitor concept 
(eq. a security kernel). These three classes are: Class Bi: Labeled 
Security Protection, Class B2: Structured Protection, and Class B3: 
Security Domains. 

Class Bi systems have all the same requirements found in Class 
C2. Additionally, an informal statement of the security policy model, 
data labeling, and mandatory access control over named subjects and 
objects must be present. The capability must exist for accurately 
labeling exported information and any flaws detected by testing must be 
corrected [Ref. é6:p. 20]. 

In contrast to Class Bl, Class Bz requires the presence of a 
formal security policy clearly stating both mandatory and discretionary 
access controls. The TCB enforces a more rigid authentication 


mechanism. This is the first level that addresses covert channels - a 


33 


communication channel that allows the transfer of information in such a 
manner that violates the system's security policy. Systems conforming 
to Class B2 requirements are considered to be relatively resistant to 
penetration. 

Class B3 must include a reference monitor that will mediate all 
user access to system information, be tamperproof, and be small enough 
for exhaustive tests and analysis. Security administration is supported 
and audit mechanisms are expanded to signal all security-relevant events 
with recovery procedures required. Class B3 systems are considered to 
be highly resistant to penetration. 


Finally, Division A: Verified Design presently contains one 


class - Class Al: Verified Design which has the most rigid security 
requirements given the state of current technology. Extensive 


documentation is required on the TCB to demonstrate the ability to 
conform to security requirements. Systems in this class are 
functionally equivalent to Class B3. There are no architectural 
features or policy difference. The significant highlight is the added 
emphasis on formality in this class. Formal security verification 
methods are required to assure that both mandatory and discretionary 
access controls protect all classitied or sensitive information either 
stored or processed on the trusted system. 

Figure 3.1 [Ref. ó:p. 107] summarizes the trusted computer 


system evaluation criteria requirements for each classification. 


36 









E 
= 
= 


ZE 













$2 d 4A 
Pt. 


AT dr ene 
Y: PERERA 
m 


rers mom 


SUMMARY CHART 


Sen - 


TRUSTED COMPUTER SYSTEM EVALUATION CRITERIA 


SECURITY MET 


37 


E NO ADOITIONAL REQUIREMENTS FOR THIS CLASS 


M 
SNS NEW OR ENHANCED REQUIREMENTS FOR THIS CLASS 


o 
o 
« 
- 
O 
o 
L 
p= 
u. 
o 
= 
=< 
ul 
z 
u 
T 
2 
Q 
uJ 
© 
Q 
= 





Figure 3.1 - Summary Chart 


— 


B. TRUSTED NETWORK SYSTEMS 

The second DoD Computer Security Center publication previously 
mentioned currently exists in draft form only. The document is 
entitled, Department of Defense Trusted Network Evaluation Criteria, 
dated 29 July 1985, and is the logical complement to the DoD Trusted 
Computer System Evaluation Criteria. 

The criteria were first established for computer systems in 1983, 
but it was soon realized that there were unique risks associated with 
distributed systems or networks that needed to be addressed separately. 

Distributed computer systems or networks are composed of a set of 
nodes, communications lines connecting these nodes, and a set of rules 
(protocol) to facilitate the network’s operation. A node is usually 
composed of a communications processor (switch) and at least one host 
processor. At one extreme, a single processor may serve both the 
communications and host functions. On the other, each function may be 
pertormed by multiprocessors. A typical node contiguration may include 
a communications processor, a host, and a A ums 
KNFEP) which may perform both pre- and post- processing tor the ho 

Establishing a security policy for a distributed system is a far 
Qreater task than in a centralized system. Security in the distributed 
system is only as strong as the quality of the enforced security policy 
at any one node and a breach of security at one node can have grave 
implications for other nodes in the system. An environment exists where 
users interact with host systems via remote access terminals in a real 
time fashion where data can be accessed, read, altered, or destroyed in 


a very rapid manner. Often these remote terminals are in a more hostile 


38 


environment than the host and the user is free from administrative and 
operational controls. 

Certainly, the security issues of distributed systems are more than 
the union of the security issues of communications and computer systems. 
These issues address a unique threat of leakage or loss [Ref. M so: 


1. The physical security problem extends beyond the physical 
environs of host computer’s location. 


2. The communications lines are vulnerable to tapping ofr 
passive monitoring of emanations. Crosstalk between 
communications lines or within the switching centrals can 
present a vulnerability. 

3. A large population of users with varying clearances and 
need-to-know authorizations interact simultaneously on the 
network system. 

4. The probability of system error and vulnerability to 
intrusion becomes greater as the size of the network 
increases. 

3. Exhaustive testing and verification of software to determine 
if errors or anomalies exist is not possible for large 


software systems. 


ó. The identification of a user located at a remote terminal or 
facility is more difficult. 


The Trusted EUST Evaluation Criteria is divided into two parts: 
Trusted Network Criteria, applied on a global network-wide basis, and 
Trusted Network Component Criteria, applicable to individual network 
components. Both parts are closely linked and many of the criteria are 
derived from the "orange book." 

Again, there are four hierarchical divisions of enhanced security 
protection. These divisions are delineated with respect to the three 
issues of data compromise, erroneous communications, and denial of 


service. Since different hardware and software are likely to be used 


Co 
x 


within networK systems, a separate evaluation should be conducted in 
each area. 

For a network to be assigned a division rating for data 
compromise, erroneous communications, or denial of service the network 
must satisfy all Trusted Network Criteria for that division and all of 
its trusted components must satisfy at least the equivalent division 
requirements of the Trusted Network Component Criteria. Limited by 
technology, criteria for erroneous communications and denial of service 
are yet to be defined for the most rigid security division, NA. 

A reference model such as the International Standards Organization 
Upen Systems Interconnection ‘OS1) Model or its equivalent must be 
established for comparison purposes when evaluating a network. "The 
hierarchy of protocols to be used within the network by host computers 
and network components must be specified, as well as the location and 
content of any security-relevant information contained within those 
protocols, such as security labels. A direct correspondence must be 
shown between the security-relevant portions of these communications 
protocols and the security features emploved in the trusted components." 
LRet. o 71:0, 4) 

1. Fundamental Requirements 

The six fundamental requirements listed previously tor a 
"secure" computer system can be extended tor applicability to the 
"secure" network with little modification - four dealing with what needs 
to be done to control security in a trusted network and two dealing with 


credible assurances that these requirements are met. 


40 


Ze he eer l teria 

Again, the Trusted Network Criteria define the minimum set of 
global security features and assurance requirements to be met by the 
Trusted Network Base (TNB). There are many parallels between the four 
hierarchical divisions of the Trusted Network Criteria and the Trusted 
Computer Systems Evaluation Criteria. The four divisions are Division 
ND, Division NC, Division NB, and Division NA. Significant additions 
having relevancy to trusted network systems will be discussed. 

Division ND: Minimal Protection is reserved for those systems 
that have been evaluated but failed to meet the requirements tor 4 
higher evaluation division. Minimum security results and there are nc 
security features to protect aqainst data compromise, erroneaus 
communications, and denial of service. 

Minimal data compromise, erroneous communication:. and denial of 
service are indicative of Division NC: Controlled Access Protection. 
security decisions based on the classification of information are 
handled administratively; thus, networks within this division are not 
required to make security decisions based on the classification of 
objects and subjects. Network compromise protection is achieved through 
the use of techniques such as resource isolation within network 
components, data encryption, or physical protection of the 
communications medium. Network discretionary access control is defined 
by the Trusted Network Base (TNB) and uses enforcement mechanisms such 
as closed user groups and network access control lists to include or 
exclude access with the focus on the single network subject. The 


following documentation is also required for this division: Network 


41 


Security Features User’s Guide, Trusted Network Facility Manual, Network 
Test Documentation, and Network Design Documentation. 

A documented, formal security policy model that requires 
mandatory access control enforcement over all network subjects and 
network objects and which addresses the issue of covert channels must 
exist for networks within Division B: Mandatory Protection. TNB design 
and implementation require more thorough testing and more complete 
review. The TNB must maintain sensitivity labels for all network 
resources that can be accessed either directly or indirectly by subjects 
external to the TNB. These labels are to be used as the basis for 
access control decisions. "The TNB shall support a trusted 
communication path between network subjects for use when positive 
component to component communication is required ‘e.g., initialization, 
encryption Key management, change of network subject security levelts)). 
Communications via this trusted path shall be activated exclusively by a 
network subject or the TNB and shall be logically and unmistakably 
distinguishable from other paths." [Ret. 7:p. 197) The same documents 
are required as in the previous level; however, a more formal 
description of the network’s resources and test results is needed. 

Division NA: Verified Design requires networks to possess a 
reference monitor that mediates all accesses of subjects to objects, be 
tamperproof, and the distributed portions of the TNB to be small enough 
to be subjected to analysis and tests. Formal design specitication and 
verification techniques assure that the TNB is correctly implemented. 
There are two types of formal specification - "formal policy model" and 


"formal top level specification (FTLS)", The "formal policy model" is 


42 


used to analyze a complete network and must be demonstrated by a 
mathematical proof that it supports the security policy. The "formal 
top level specification (FTLS)" deals with the detailed functionality ot 
the network and must be consistent with the model by formal verification 
techniques. Formal analysis techniques must be used to identify and 
analyze covert channels. 

The Trusted Network Component Criteria are detailed to establish 
the minimum set of security features and assurance requirements that 
each component must meet in order to insure that the global Trusted 
Network Base (TNB) requirements can be achieved. These standards are 
treated in the same manner as the aforementioned Trusted Network 
Criteria; thus, little o is served by pointing out the specific 


requirements of each division (see Reference ? for more details). 


43 


IJ, RISK ASE SS REN 


The purpose of multilevel security is to provide cost-effective 
countermeasures to protect a system from the many threats which exist. 
These countermeasures must reduce the +requency and impact of threats 
upon the system, provide for contingency planning when the system s 
operation is disrupted, and audit the system in both the normal and 
standby modes of operation. The problem of weighing the risk of the 
loss threatened with the cost of effective countermeasures qives rise to 
the imprecise science of risk management. A brief discussion of risk 
management in general will be followed by a look at the methodology set 
forth by the DoD Computer Security Center for assessing a system's 
inherent risk and at an approach suggested by Carl Landwehr and H. Q. 
Lubbes of the Naval Research Laboratory in Washington, D.C. 

A. RISK MANAGEMENT 

RisK management involves the manipulation of various tools and 
techniques tailored to meet a specific need in the prevention of 
unauthorized intervention in the various levels of a systems operation. 
However, the methodologies employed are basic (Ref. ?9:p. 26]: 

a. Threat identification 

b. Threat impact measurement 

c. Countermeasure identification and measurement 


d. Countermeasure selection 


ft 


Implementation and monitoring of safequard effect 


44 


Historically, risk managers have measured the cost-effectiveness of 
security measures taken in terms of dollars. This has led to greater 
concern over those threats that cause total or near total destruction of 
the system (e.g., natural causes, gross errors, omissions). I £ 
reasonable security measures have been taken, many of these threats 
(e.9., errors and omissions) have a greater probability of occurrence 
than penetration of the system by an unauthorized source . It is also 
difficult to determine the "cost" of compromised classified information 
(assuming that a penetration has been detected). However, once the 
commitment is made to develop multilevel trusted systems, greater access 
to systems by users of varying levels of clearances and need-to-Know 
authorizations increase the risk of compromise. The need still exists 
for safeguards against the traditional concerns, but the threat of 
unauthorized penetration must be given much greater attention when the 
secrets of a nation are at stake. The DoD Computer Security Center has 
developed a scheme for assessing the risk in trusted systems. 

B. RISK INDEX 

The evaluation classes described in the DoD Trusted Computer System 
Evaluation Criteria are primarily based on the level of security risk 
inherent to a particular system. Another DoD Computer Security Center 
publication, Technical Rationale Behind CSC-STD-003-35: Computer 
Security Requirements--Guidance for Applying the Department of Defense 
Trusted Computer System Evaluation Criteria in Specific Environments, 
presents a methodology for assessing a system's inherent risk - the 
"risk index." "The risk index can be defined as the disparity between 


the minimum clearance or authorization of system users and the maximum 


45 


sensitivity of data processed by a system." [Ref. 10:p. 5] Although 
other factors can influence security risk, the risk index is unitormly 
applied in the determination of security risk and is the only basis for 
determining the minimum class of trusted systems. 


The risk index is computed by comparing the system's minimum user 


clearance (Rain) from Table 4.1 [Ref. 10:p. $] with the system/s maximum 


data sensitivity (R ) from Table 4.2 [Ref. 10:p. 7). The 


max 
relationships for the actual computations follou: 
Case I. If Rj, is less than Rm3x then the Risk Index 
determined by subtracting Rain Fom RES 
Risk Index m NE e MCA 
(This equation works in all cases but one. When the 
minimum clearance is Top Secret/Background Investigation 
and the maximum data sensitivity is Top Secret, the Risk 
Index should be 0 rather that the computed value of 1.) 


Case II. If Rnin iS greater than or equal to Raay, then: 


| 1, if there are categories on the system 


Risk Index = | to which some of the users are not 
| authorized access. 
2, otherwise iíi.e., if there are no 
Risk Index = categories on the system or if all 


| 
| 
| users are authorized access to all 
| categories). 


Table 4.3 [Ref. 10:p. 8] is a matrix of computed Security risk 
Indexes for categories associated with maximum data sensitivity levels 
above Secret. If local authorities feel that the environment has 
additional risk factors affecting system security, a larger risk index 


can be assigned. 


46 


TABLE 4.1 


RATING SCALE FOR MINIMUM USER CLEARANCE! 







RATING 
(Rmin) 









MINIMUM USER CLEARANCE 










Uncleared (U) 


| | Undeard(U) ——— — — —  —  — | — 90 — | 

Not Cleared but Authorized Access to Sensitive Unclassified 
Information (N) 

emm E 


Top Secret (TS)Current Special Background Investigation (SBD) 
One Category (10) Eu 
Multiple Categories (MC) DT URP 


ISee Apppendix B for a detailed description of the terms listed 


47 


TABLE 4.2 
RATING SCALE FOR MAXIMUM DATA SENSITIVITY 


MAXIMUM DATA 
SENS 
RATINGS: RATING MAXIMUM DATA SENSITIVITY WITH 
WITIIOUT (Rmax) CATEGORIES! 
CATEGORIES 


Unclassified(U) | 0 Not Applicable3 | 


Not Ciussifted but | | N With One or More Categories 


Sensitive* 


Contidential (C) 2 C With One or More Categories 3 


Secret (S) S With One or More Categories With No 
More Than One Category Containing 
Secret Data 
S With Twoor More Categories Containing 
Secret Data 





Top Secret (TS) TS With One or More Categories With No 
More Than One Category Containing 
Secret or Top Secret Data 
TS With Two or More Categories 
Containing Secret or Top Secret Data 





¡The only categories of concern are those for which some users are not authorized access to the 
category. When counting the number of categories, count all categories regardless of the 
sensitivity level associated with the data. Ifa category is associated with more than one 
sensitivity level, itis only counted at the highest level. 


2Where the number of categories is large or where a highly sensitive category is involved, a 
higner rating might be warranted. 


3Since categories imply sensitivity of data and unclassified data is not sensitive, unclassified 
data bv definition cannot contain categories. 


4N data includes linancial, proprietary, privacy, and mission sensitive data. Some situations 
(e.z., those involving extremely large tinancial sums or critical mission sensitive data), may 
warrant a higher rating. The table prescribes minimum ratings 


SThe rating increment between the Secret and Top Secret data sensitivity levels is greater than 
the increment between other adjacent levels. This difference derives from the fact that the loss 
of Top Secret data causes exceptionaliv grave damage to the national security, whereas the loss 
of Secret data causes oniy serious damage.t4) 


48 


Minimum 
Clearance 

or 
Authorization 
of 

System Users 


TABLE 4.3 
SECURITY RISK INDEX MATRIX 


Maximum Data Sensitivity 


oe 


EN | pa a 
eee ec 
ee Ot es 
pcr 
| tsiBp |.o | o | 9 | o | o | 2 

"mes [a p pe ps p [a3 
e Pope pepe peop 
i eee 

















f 





U = Uncleared or Unclassified 
N = Not Cleared but Authorized Access to Sensitive Unclassified Information or 
Not Classified but Sensitive 


C = Confidential 
S = Secret 
TS = Top Secret 


TS(BI) = Top Secret (Background Investigation) 
TS(SBI) = Top Secret (Special Background Investigation) 


1C = One Category 


MC = Multiple Categories 


49 


C. SECURITY ENVIRONMENT 
As mentioned previously, factors other than the risk index are 
important when the overall threat of compromised information is to be 
considered. One such factor is the nature of the environment in which 
the system is operating. The environment is the aggregate of external 
factors affecting the development, operation, and maintenance of a 
system. Two common environments referred to are the open and the closed 
environment. This description is based upon the TCB’s vulnerability to 
the insertion of malicious logic. Malicious logic can be either 
hardware, software, or firmware that is intentionally included in a 
system for the express purpose of causing loss or harm. An open 
environment is one in which adequate precautions against the insertion 
of malicious logic have not been invoked. Conversely, a closed 
environment is one that is considered to be adequately protected against 
such threats. 
1. Open Security Environment 
An open security environment exists when either of the following 


conditions holds true: 


p 


Application developers ‘including maintainers) do not have 
sufficient clearance ‘(or authorization) to provide an 
acceptable presumption that they have not introduced 
malicious logic. Sufficient clearance is defined as 
follows: where the maximum classification of data to be 
processed is Contidential or below, developers are cleared 
and authorized to the same level as the most sensitive data; 
where the maximum classification of data to be processed is 
Secret or above, developers have at least a Secret 
clearance. 


b. Configuration control does not provide sufficient assurance 
that applications are protected against the introduction of 
malicious logic prior to or during the operation of system 
applications. LNef. 102529317] 


In the open security environment, the application of malicious 
logic can affect the TCB in two ways. The first way is an attack on TCS 
controls in an attempt to "penetrate" the system. Secondly, any covert 
channels that exist in the TCB can be exploited. 

Table 4.4 presents the minimum evaluation class identitied in 
the Computer Security Requirements for different risk indices in an open 
security environment (Ref. 10:p. 121. Table 4.5 illustrates the impact 
of the requirements on individual minimum clearance/maximum data 
sensitivity pairings, where no categories are associated with maximum 
data sensitivity below Top Secret [Ret. TT 13]. The classes obtained 
from these tables reflect minimum values. Again, if the environment 
E tes, the assignment of a higher class may be warranted. Two 
factors that may lead to a higher class assignment anre: a? High volume 
of information at the maximum data sensitivity, and b») Large numbers of 
users with minimum clearance. These two factors are common in networks. 

Systems operating in a system hiqh or dedicated mode have a risk 
Index of zero. A system operating in the dedicated mode is 
characterized by all users having the appropriate clearance and 
need-to-know requirements for all information on the system. mI GT Ls 
speaking, no additional requirements exist for hardware or software to 
entorce the security policy; however, such features may be necessary 
because oft the integrity and denial of Service requirements for many 
systems. 

A system operating in the system high mode, is characterized by 
all users having the appropriate clearance but not the need-to-know tor 


all information on the system. Obviously, discretionary measures are 


2] 


TABLE 4.4 


COMPUTER SECURITY REQUIREMENTS FOR OPEN SECURIT 
ENVIRONMENTS 

















SECURITY OPERATING MINIMUM CRITERIA 
MODE CLASS! 


| Dedicated No Prescribed 
Minimum? 
O + System High 
1 " Limited Access. Controlled, 
_ Compartmented, Multilevel 
2 EM Access, Controlled, 
re Multilevel 





RISK INDEX 










lThe asterisk (*) indicates that computer protection for environments with that 
risk index are considered to be beyond the state of current technology. Such 
environments must augment technical protection with personnel or 
administrative security safeguards. 


2Although there is no prescribed minimum, the integrity and denial of service 
requirements of many systems warrant at least class Cl protection. 


SIf the system processes sensitive or classified data, at least a class C2 system is 
required. If the system does not process sensitive or classified data, a class Cl 
system is sufficient. 


+Where a system processes classified or compartmented data and some users do not 


have at least a Confidential clearance, or when there are more than two types of 
compartmented information being processed, at least a class B2 system Is required. 


52 


TABLE 4.5 
SECURITY INDEX MATRIX FOR OPEN SECURITY ENVIRONMENTS! 


Maximum Data Sensitivity 


C III I po 


ae re ee 


















Minimum [fer porfa pepa]. 
Glearanceor’ Gg -[c1 | c2 | G2 [5r [8 | ài | 7— 
ization | 


lEnvironments for which either Cl or C2 is given are for svstems that operate in 
system high mode. No minimum level of trust ts prescribed for systems that 
operate in dedicated mode. Categories are ignored in the matrix, except for their 
inclusion at the TS level. 


?It is assumed that all users are authorized access to all categories present in the 
system. If some users are not authorized for all categories, then a class Bl system 
or higher is required. 


JWhere there are more than two categories, at least a class B2 system is required. 


U z Uncleared or Unclassified 

N = Not Cleared but Authorized Access to Sensitive Unclassified Information or 
Not Classified but Sensitive 

C = Confidential 

S = Secret 

TS = Top Secret 

TS(BI) = Top Secret (Background Investigation) 

TS(SBI) = Top Secret (Special Back ground Investigation) 

1C = One Category 

MC = Multiple Category 


33 


needed to protect information from those users without the appropriate 
need-to-know. At least a Class C2 system is required because of its 
accountability capabilities when systems process and/or store classified 
or sensitive unclassified data. If the maximum sensitivity of the data 
is unclassified, a Class Ci system is acceptable. No audit trails are 
traceable to the individual, but protection is still needed to protect 
project or private information and to prevent the accidental reading or 
destruction of another user’s data. 

A risk index of 1 or higher is characteristic otf systems 
operating in controlled, compartmented, and multilevel modes. In these 
modes, mandatory access control to objects is usually controlled by the 
use of sensitivity labels. Mandatory access controls are inherent to 
Division A and B systems and are required for all environments with risk 
indices of 1 or greater. The minimum class recommended tor systems 
requiring mandatory access control is Class Bl. 

Systems with a risk index of 2 require more trust than is 
afforded by the Class B1 system. Where a sensitivity label alone exists 
(no label denoting category), Class B2 systems are the minimum 
requirement for minimum clearance/maximum data sensitivity pairings 
sueneas U-ESINAS > and S9: 

Although Class B2 systems are relatively resistant to 
penetration, a risk index of 3 requires even greater resistance to 
penetration such as that demonstrated by a Class B3 system. Class B3 
systems are the minimum requirement for minimum clearance/maximum data 
sensitivity pairings oft U/S, C/TS, S/TS with one category and TS:BI>)/TS 


with multiple categories. 


34d 


The most trustworthy systems at the present time are Class Al 
systems. Class Al systems are to be used for situations with a risk 
index of 4 and are the minimum requirement for minimum clearance/max imum 
data sensitivity pairings of N/TS, C/TS with one category, and S/TS with 
multiple categories. Formal design specification and verification 
techniques distinguish Class Al from Class B3 “(the architecture and 
policy requirements are the same). 

Any system operating in an environment with a risk index of 5 or 
greater cannot be made trustworthy with current technology. An open 
environment with uncleared users and Top Secret data is not permissible 


under any conditions. 


2. Closed Security Environment 


A closed security environment is protected from the insertion of 
malicious logic; however, .a threat to the TCB exists from the 
exploitation of unintentional errors in logic for malicious purposes. A 
closed security environment exists when both of the following conditions 


hold true: 


a. Applications developers (including maintainers) have 
sut+icient clearances and authorizations to provide = an 
acceptable presumption that they have not introduced 
malicious logic. 

b. Configuration control provides sufficient assurance that 
applications are protected against the introduction of 
malicious logic prior to and during the operation of system 
applications. [Ref. 10:p. 32] 

Clearances are required tor assurance against malicious 
applications logic because there are relatively few tools for assessing 


the security-relevant behavior of application hardware and software. 


The DoD Computer System Evaluation Criteria outline assurance 


35 


requirements such as extensive functional testing, penetration testing, 
and correspondence mapping between a security model and the design for 
increased confidence in the TCB. 

In the closed security environment, a Class B2 system is the 
result of adherence to requirements that are rigid enough to 
substantially reduce the number of unintentional errors in logic and is l 
worthy ot increased trust. A system evaluated as a Class Bi system in 
an open security environment cannot be degraded to a Class C1 or C2 
system in a closed security environment because of the requirement for 
mandatory access controls. 

Table 4.4 presents the minimum evaluation class identified in 
the Computer Security Requirements for different risk indices in a 
closed security environment [Ref. 10:p. 201. The principal difference 
between the open and closed security environments is that Class B2 
systems in the closed security environment are trusted to provide 
sufficient protection for a greater risk index. Table 4.7 illustrates 
the requirement’s impact on individual minimum clearance/maximum data 
SENSITIVITY,  Calfings ) LRet.. l0i5 8 219. Unlike the open security 
environment, protection support for some closed environments, such as an 
uncleared user on a system processing Top Secret data, is allowed. 

D. ANOTHER APPRGACH FOR RISK ASSESSMENT 

Carl Landwehr and H. O. Lubbes feel that the DoD Computer Security 
Center did an outstanding job of defining requirements corresponding to 
specified levels of security functions and assurance. However, the 
technical guidance provided falls short of adequately providing quidance 


for what level of system is appropriate in a given environment. They 


36 


TABLE 4.4 


COMPUTER SECURITY REQUIREMENTS FOR CLOSED SECURITY 
ENVIRONMENTS 













SECURITY OPERATING MINIMUM CRITERIA 
MODE CLASS! 


Dedicated No Prescribed 
Alinimum- 
i Limited Access, Controlled, Bl+ 
Compartmented. Multilevel 
Limited Access, Controlled, 
Compartmented, Multilevel 
Controlled, Multilevel pur 





RISK INDEX 








l'The asterisk (*) indicates that computer protection for environments with that 
risk index are considered to be beyond the state of current technology. Such 
environments must augment technical protection with physical, personnel, 
and/or administrative safeguards. 


2A|though there is no prescribed minimum, the integrity and denial of service 
requirements of many systems warrant at least class C1 protection. 


3If the system processes sensitive or classified data, at least a class C2 system is 
required. If the system does not process sensitive or classified data, a class Cl 
system ts sufficient. 


4Where a system processes classified or compartmented data and some users do 
not have at least a Confidential clearance, at least a class B2 system is required. 


3 


TABLE 4.7 
SECURITY INDEX MATRIX FOR CLOSED SECURITY ENVIRONMENTS 


Maximum Data Sensitivity 


E pehee 


o o eea 
Teper [os [ar a 











Minimum 
Clearance or 





Author- 
de AAA S —— 


ie perfor er Por [or peer [sr 


¡Environments for which either Cl or C2 is given are for systems that operate in 
system high mode. There is no prescribed minimum level of trust for systems that 
operate in dedicated mode. Categories are ignored in the matrix, except for their 
inclusion atthe TS level. 


?It is assumed that all users are authorized access to all categories on the system. 
[f some users are not authorized for all categories, then a class B1 system or higher 
Is required. 


3W here there are more than two categories, at least a class B2 system is required. 


U = Uncleared or Unclassified 

N = Not Cleared but Authorized Access to Sensitive Unclassified Information or 
Not Classified but Sensitive 

C = Confidential 

S = Secret 

LS Top Secret 

TS(BI) = Top Secret (Background Investigation) 

T. (SBI) = = Top Secret (Soecial Background [nvestigation) 

1G = One Category 

MC = Multiple Categories 


38 


feel that the scheme described above is still not enough in assessing 
the Navy*s security needs. Their apprehension can certainly be extended 
to the entire military community. 

In their paper, An Approach to Determining Computer Security 
Requirements for Navy Systems, Landwehr and Lubbes describe a method for 
applying the Orange Book to represenative large-scale dispersed systems 
seen in the Navy and propose a system of looking at risk factors not 
previously addressed in DoD literature pertaining to trusted systems. 
They also propose a scheme for applying these risk factors to assess a 
system’s overall risk which in turn will be the basis for the security 
requirements of that system. A discussion of their ideas follow. 

i. Applying Security Requirements 

A method of applying the computer security requirements in the 
Ürange Book to trusted systems is depicted in Figure 4.1 [Ref. l1:p. 3] 
and defined below: 

a. extracting from each system “or system design)? the factors 
that affect the risk that its operation may lead to the 
unauthorized disclosure of sensitive information, 

b. quantifying these factors, and 

c. determining system security requirements ‘in terms of the 
levels defined in the Orange Book) that reduce the system 
risk to an acceptable level. (Ref. ii:p. 2] 

This method qualifies as a risk evaluation since the threat of 
unauthorized disclosure of sensitive information exists. The system 
risk is a mix of the value of the system/s assets ‘sensitive 


information), the system’s vulnerabilities, and the clearance ot the 


users. 


2? 















System 
Description 












Risk Factors 
— Local Processing 
Capability 
-—- Communication Path 
— User Capability 
- Data Exposure 
user clearance 
data classification 
— Deveiooment/ 
maintenance 
environment 


Extract 







Quantify 


Risk 
Evaluation 








Orange Book Criteria 





A A1,A2... An 
83 831.832,...83n 
82 = - - 
B1- — - 
C2 = = = 
C1-C11. C12 961m 


Secunty Design 
Requirements 


Al, AG. 


831, 838 
C12 












Figure 4.1 - Steps in Applying Guidance 


60 


2. Identifying the Risk Factors 


Landwehr and Lubbes propose several new classes of risk factors 
that affect actual system risk - local processing capability, 
communication path, user capability, development/maintenance 
environment, and data exposure. Within each of these classes is a list 
of independent risk levels that represent a comparable increase or 
decrease in risk between adjacent levels. 

Local processing capability addresses the capabilities of the 
user’s terminal. Capabilities range from the receive-only terminal ‘no 
system commands can be entered directly) to the fixed-function 
interactive terminal (allows both sending and receiving information) to 
the programmable terminal (can be programmed t enter commands). The 
programmable terminal introduces the highest level of risk and is the 
equivalent of using a personal computer as a terminal. The identified 
risk levels for local processing capability» are: 

Level 1: receive-only terminal 
Level 2: fixed-function interactive terminal 


Level 3: programmable device ‘access Via personal computer or 
programmable host? 


The communications path between the terminal and the host also 
affects the level of risk in the system. The lowest risk level exists 
in terminal that has a simplex receive-only link to its host via 
store-and-forward (S/F) network (e.g., fleet broadcast). Terminals 
connected to the host directly, through a local-area network, or a 
long-haul network such as DDN typify the greatest risk ot penetration 


because of the increased bandwidths and closer host-terminal 


ól 


interactions common to these systems. The identified risk levels for 
communications path are: 

Level i: store/forward, receive-only 

Level 2: store/forward, send/receive 


Level 3: interactive (1/4), via direct connection, local-area net, 
or long-haul packet net 


A system that allows only certain predefined inputs is less 
risky than a system that responds to user transactions. Succ | MiG wes 
stated, limiting the user’s capabilities lessens the system risk. The 
identified risk levels for user capability are: 

Level 1: output only 
Level 2: transaction processing 
Level 3: full programming 

in system that is developed and maintained by cleared individuals 
(commonly seen in the intelligence community) represents a lower risk 
level than the majority of systems that are developed and maintained 
without this requirement. Using this assumption, Landwehr and Lubbes 
consider all systems to have been developed and maintained as the 
majority, in an open environment. Therefore, no risk levels are 
identified for the development/maintenance environment. 

The greater the disparity between the clearance of the 
least-cleared user and the classification of the most sensitive data 
stored or processed by the system, the greater the risk. This class is 
similar to that stated above by the DoD Computer Security Center, but it 
is termed data exposure to distinguish it from other risk factors. 


Clearance levels are identified as: 


62 


Leve] 


Level 


Level 


Leve] 


Leve] 


Level 


Level 


Leve] 


ee 


: uncleared, 


uncleared 


but authorized to sensitive 


classified information 


Access 


: confidential clearance 


secret clearance 
top secret/background investigation 
top secret/special background investigation 


top  secret/special bacKground with 


investigation, 
authorization for one compartment 
top secret/special background 
than one compar tment 


investigation, with more 


Classification levels are numbered: 


Level 0: unclassified 

Level 1: sensitive unclassified information 

Level 2: confidential 

Level 3: secret 

Level 4: secret with one category 

Level 3: top secret with no categories, or secret with two oar 
more categories 

Level 6: top secret with one category 


Level 7: top secret with two or more categories 


Data exposure 


is computed as the difference between the level 


of the 


least-cleared user of a system and the maximum level of data processed 


by the system. The range of values is from 0 (all users cleared for all 


data) to ? (uncleared users with information being processed that is top 


secret with two or more categories), 


63 


3. Applying the Risk Factors 


Once the various risk levels have been determined for a 
particular system, Tables 4.8, 4.9, and 4.10 are used to provide the 
necessary mappings between factor values, risk factor levels, and 
security requirements as presented in the Ürange Book. Local processing 
capability» and communication path provide the basis for the process 
coupling risk - the degree to which a process can maintain its integrity 
when subjected to subversion from an outside source (Table 4,8). H 
close degree of interaction results in a high degree of coupling which 
yields to increased vulnerability. Coupling the process coupling risk 
with user capability yields an overall system risk that is independent 
of the data exposure (Table 4.9). The security requirement is read from 
Table 4.10 as the result of relating overall system risk and data 
exposure. As stated previously by the DoD Computer Security Center, 
system requirements are not technically feasible at this time for all 
situations. 

This technique is superior to that of the DoD Computer Security 
because a broader range of threats are specifically addressed. System 
requirements can still be upgraded if the environment appears to pose 
unique threats that have not been addressed. Landwehr and Lubbes point 
out that approaches for determining other security requirement ‘e.q., 
TEMPEST, degaussing, COMSEC, contingency planning) are beyond the scope 


of their approach. 


64 


TABLE 4.8 - PROCESS COUPLING RISK 





Communication Path 












Local Processing 
Capability 






1. S/F Net | 2. S/F Net 3. 1/A Net or Direct 
(one-way) (two-way) Connection (LAN,DDN) | (LAN,DDN) 


T Receive oniy ermina OO O o O o 
ked function) 

3. Programmable device 
(Access via personal 


computer or programmabile 
host) 

















User Capability 






eet mea y a A E eA 


1. Output-only (subscriber) {| 3° | 


2. Transaction processing TRAE 
3. Full programming H— | 6 | 7 | 8] 9) 





TABLE 4.10 - MAPPING SYSTEM RISK AND DATA EXPOSURE 
TO ORANGE BOOK LEVELS 


System Risk 


bata Exposure [FT ese [0 [9 


ED o" 
[1 —jeuci| c | e | cz jCyBp| Bi | bi - 
L3 — j € |cvysr| Bi | Bi | Bi [pier] 62 

[ Bi [BUBI| B: [82/83] Bi [BVAI| 


[3 Cj B 

[4 — | BS [BNBP| 83 [BVAT| AL | Al | Ai - 

saat ar ary — LL CL 

L8 = = ET 
oe 





65 


V. MULTILEVEL SECURITY IN THE W A EAE 


One of the main purposes of this paper is to inves:i3ate the 
integration of the Gemini Trusted Multiple Microcomputer Base into the 
Wargaming, Analysis, and Research (W.A.R.) Lab. Currently, the 
acquisition process for a Gemini system has begun with an estimated 
delivery date in May 1986. Primarily, the system is being purchased to 
become the basis for research involving multilevel security; however, it 
is worthwhile to search for other applications that can enhance or 
upgrade the current security posture in the W.A.R. lab. 

A. THE W.A.R. LAB 

In 1977, the Wargaming, Analysis, and Research Lab received 

sponsorship from the Defense Advanced Projects Research Agency (DARPA) 


as a research center for topics involving command, control, and 


communications (03), Two years later, the lab opened with a PDP-11/70 
computer and GENESCO graphics. Today, the laboratory is a modern, 
TEMPEST-hardened facility with significant information processing and 
storage capability. Appendix C details the current systems/software 
available in the W.A.R. lab. 

The W.A.R. lab is currently used for wargaminq, Cclassitied thesis 
preparation, course projects, and research activities. The facility is 
of prime importance in the USREDCOM’s development of the Joint Theater 


Level Simulation ‘JTLS) development. Also, controlled experiments in 


66 


headquarters effectiveness are conducted periodically by the Detense 
Communications Agency (DCA). 

There are three different a simulation courses taught 
twice each academic year at the Naval Postgraduate School. These 


courses involve approximately 160 students from seven curriculums - OR, 


C3, ASW, EW, Space Ops, Air Ocean Tactical Environment Support, and NSA. 
The instruction provided to officer students covers full and limited 
exposure to wargaming, mathematical modeling and simulation techniques, 
decision theory, validation of models, and design otf experiments. 
Thesis and professional research cover such diverse areas as red side 
planning models, ASW modeling and computer simulation, computer graphics 
enhancements, Interactive Battle Group Tactical Trainer (1BGTT) and 
Naval Warfare Gaming System ‘NWGS) model validation, distributed 
computing with large and small networks, and voice: input devices and 
techniques. 
B. THE GEMINI TRUSTED MULTIPLE MICROCOMPUTER BASE 

The Gemini Trusted Multiple Microcomputer system is a product of 
Gemini Computers, Incorporated of Monterey, California. Up to eight 
¡APX286-based microcomputers can be modularly connected on the same 
Multibus to provide a combination of multilevel security and 
multiprogramming capabilities. The system can provide a trusted base for 
both concurrent and real-time applications such as command, contral, 
communications, intelligence, weapons, networks, and office automation. 

The Gemini system includes the Gemini bus controller, a real-time 
Clock with battery, and data encryption device using the standard 


NBS-DES algorithm. Non-volatile memory is used for storing passwords 


67 


and secret encryption keys. The Gemini computer system supports the 
following programming languages: Pascal MT+, JANUS ADA, PL“1, UC, and 
Bor tC ane 

The iAPX286 microprocessor combines the central processing unit and 
the memory management unit on the same chip. This microprocessor 
supports four hierarchical privilege levels for protection and mediation 
ot all memory and 10 references. 

The Gemini Multiprocessing Secure Operating System (GEMS05) stores 
all intormation in discrete logical objects called segments. These 
segments are managed with respect to their security access class and 
access mode. GEMSOS supports both sensitivity and integrity access 
classes reach with 3 levels and 24 compartments) tor mandatory security 
policies. Discretionary security policies are also entorced on an 
application-specitic basis. 

For additional information on the Gemini Trusted Multiple 
Microcomputer Base, refer to Appendix C for a product description 
(quoted trom an information packet from Gemini Computers, Inc). 

C. RISK ASSESSMENT IN THE W.A.R. LAB 
This risk assessment will only take into account those areas most 


applicable to the multilevel secure environment. 


1. Current Assessment 
As mentioned previously, the WN... lab operates in the 
"system-high" security mode. All personnel that are authorized access 


to the facility must possess a Secret clearance as a minimum and the 
highest classification of information stored or processed by al! 


mainframe computers and microcomputers is also Secret. The only 


43 


discrepancy existing between the users” minimum clearance and the 
maximum data sensitivity of information stored or processed in the lab 
is that of need-to-know. Obviously, selective exposure to classified 
material is desired and the list of those who should have access to al! 
information resident in the facility is small. Passwords to directories 
and files are the only safeguard for discretionary dissemination of data 
and their compromise can result from the crowded conditions that often 
exist in the lab. Along with the problem of material being viewed by 
those who should not have discretionary access, a greater threat of 
unintentional or malicious tampering of either programs or data exists. 

At the present time the only 1/0 external to the physical 
confines of the lab is a secure link to the USREDCOM at McDill AFB in 
Florida. Data link encryption is provided by a crypto generator 
(KG-39), 

2. Proposed W.A.R. Lab Operations 

Before proceeding further with a look at risk assessment, it is 
necessary to detail some of the possible options for contiquration 
(minimum user clearance/maximum data sensitivity) that would be optimal 
for utilization of the facility. These proposed configurations are made 
on the basis of three assumptions: the lab remains at its current 
location in Room 157, Ingersoll Hall; the lab/s role as a research and a 
teaching facility remains unchanged; and the highest classification of 
information being stored or processed in order to fulfill its assigned 
role continues to be Secret. 

Uption 1. The lab continues to operate in the "“system-high 


mode", but with greater attention towards isolating various levels oft 


69 


information within the lab. This option could be "effectu 
implemented without the introduction of new hardware. By using existing 
room dividers to create cells for specific "types" ot work, the 
effectiveness of the current password security would be greatly enhanced 
by reducing the risk of accidental compromise. However, such an 
Implementation would be impractical because of the overcrowding that 
often exists in the lab. During the conduct of wargames, the entire 
facility is used and participants are often required to move freely 
between cells. 

With the Introduction (Ot the Gemini Trusted Multiple 
Microcomputer Base, selected material can be processed and stored by the 
systems Trusted Computing Base (TCB) with access being granted only to 
those truly authorized. Such material can be routed to previously 
specified terminals only. again, this is not a fix to the current 
Situation in the lab, but rather, an alternative tor that material which 
truly deserves discretionary isolation. For reasons that will be 
explained later, not all information that ts processed or stored on the 
current mainframes can benefit trom the discretionary access provided by 
the Gemini Computer. 

Any system providing multilevel security or secure quard in the 
above situation (both open and closed environments) must be rated Class 
C2 as a minimum. Discretionary access is provided by Class CZ systems 
and such a rating is the minimum for any system that processes sensitive 
or classified information. 

Option 2. The lab continues to operate in a "svstem-high" mode 


with increased emphasis on discretionary isolation. To alleviate the 


70 


frequent overcrowded conditions, an additional room has been physically 
secured elseuhere in Ingersoll Hall. Personnel who are not directly 
involved in wargaming can conduct research or assignments e ide the 
W.A.R. lab proper. 

Most of the comments stated concerning Option 1 are applicable 
to this configuration. Again, a system with a rating of Class C2 is 
sufficient for establishing a multilevel secure or quard environment. An 
additional consideration is the method or medium by which sensitive 
information is sent to the add-on work area. Physical security ot the 
transmission medium or data encryption is required to prevent possible 
compromise. 

Local processing capability and user capability can be tailored 
for each terminal allowing varying degrees of interaction with the host 
computer. Such complicating factors lend greater support for the 
proposed risk assessment scheme by Landwehr and Lubbes. Their scheme 
examines the risk level for more factors than that oft the DoD Computer 
security Center. In this case, a system with a rating ot Class CZ is 
still considered adequate. 

The same caveat applies as betore. Not all information stored 
or processed b» the —" lab“s mainframe computers will benefit from 
the discretionary access controls enforced by the Gemini computer. 

Option 3. This option is the most ambitious and desirable ot 
all the options presented. The computer security environment in the 
W.A.R. Jab is one of total multilevel security. Terminals are available 
outside of the facility ‘classrooms, workspaces, and offices) for 


various levels of work utilizing the lab'/s resources. In secure and 


71 


unsecure workspaces, the local processing capability and the user 
capability of each terminal is tailored to meet specitic requirements as 
in Option 2. Uncleared users may even be given author ization to use 
terminals that are placed in unsecure workspaces. 

If these capabilities existed in the current lab, overcrowding 
would no longer be a problem. Students could enter the unclassified 
portions of their papers outside the lab. Instructors could set 
parameters for upcoming wargames in the convenience of their office. 
Classroom instruction could be conducted outside of the facility. Also, 
the lab’s role could be enhanced greatly. Allied students would be able 
to participate in ongoing classified wargames since all sensitive 
material would be removed prior to display on a terminal desiqnated for 
uncleared users. Instruction requiring the lab's resources would not be 
limited to those with appropriate clearances. Many more examples could 
be cited. 

The application of the Computer Security Center's approach to 
risk assessment requires the minimum criteria class tor a system that 
can support the configuration stated in Option 3 is Class BS tor the 
open environment and Class B2 for the closed environment. Aqain, the 
Landwehr and Lubbes scheme is more appropriate. If one chooses the 
factor yielding the lowest risk levels for each category (e.Qq., a 
receive-only terminal, S/F Net ‘one-way), user output only), it is 
possible to have a Class Bi system. Given the constraints leading to 
the low risk levels, the configuration of Uption 3 can be realized with 
an unbearably low effectiveness. A Class B3 system 1s required when the 


factors yielding the greatest risk level for each category is selected. 


The Computer Security scheme assumes maximum risk and does not enumerate 
the various factors. The Landwehr and Lubbes scheme evaluates the 
various factors, giving more flexibility in configuration design. 

The Gemini Trusted Multiple Microcomputer Base is currently 
undergoing final evaluation for the Class B3 rating. It was developed 
as a "bolt-on" system to provide multilevel security, but will its 
inteqration into the W.A.R. lab produce the ambitious results needed to 
realize the configuration stated in Option 3? 

D. INTEGRATION OF THE GEMINI COMPUTER INTO THE W.A.R. LAB 

The Gemini Trusted Multiple Microcomputer Base can serve merely as 
a secure guard or can be the basis for a total multilevel secure 
environment. 

1. The Gemini Computer as a Secure Guard 

The role of a secure guard system is very similar to that of a 
multilevel secure system. The major function of both is to allow 
subjects of different levels of classification to operate on a common. 
computer system or network. All of the above options present situations 
that require guard technology - mandatory and discretionary access. 

The Gemini computer’s TCB is responsible for insuring that 
only authorized subjects have access to information stored and processed 
on the system. The system has the capability of both storing and 
processing. A digital signature ‘label) placed on each object 
determines which subjects ultimately have access and the terms of that 
access. It is clear that all information created, stored, or processed 
on the Gemini system can be manipulated in the multilevel secure 


environment. However, when the Gemini system is integrated with the 


as 


existing computers in the lab, this integrity cannot necessarily be 
insured. 

Since existing computers in the lab do not haue a TCB, resident 
software cannot legitimately label objects and access by subjects 
Cespecially processes) to existing labelled objects cannot be tolerated. 
Therefore, in order to maintain information integrity, the only 
allowable integration of the Gemini system with existing computer 
systems in the Tab is with partitioned memory sections on these existing 
systems. All information flow that is under the umbrella ot the guard 
interface must go through the Gemini computer for rc. `g to authorized 
subjects only and existing systems can be used tor storage only. In 
summation, the Gemini computer can only serve as a guard device for a 
predetermined subset of the information that is created, stored, or 


processed in the facility. 


2. Ihe Gemini Computer as a Basis For Multilevel Security 


Other than the research aspect, Gemini“’s greatest contribution 
would be the capability of providing a multilevel secure environment tor 
all intormation handling functions in the W.A.R. lab. Untortunately, 
Without the prohibitive investment of several man-years, the existing 
systems and resident sottware cannot quality for the stringent 
requirements demanded by the Gemini“s TCB. Most of the reasons were 
mentioned in the previous section. Primarily, existing systems do not 
have a TCB and the complexity of resident software ‘esp. operating 
systems and wargames) make it extremely difficult for them to be adapted 


to the Gemini system. 


"E 


In order to maintain a sphere with multilevel security, the 
Gemini base must be used for creating, storing, or processing al! 
information that is to be dynamic within the environment. The Gemini 
system supports several processors and memory expansion to provide a 
pie te multilevel secure system within itself. Also, memory can be 
partitioned on the existing system for exclusive use by the Gemini 
system. A mayor drawback is the fact that future software development 
must proceed around the requirements of the Gemini system. Until such a 
system is standardized in the military community, transportability of 
software will be limited. 

The shortcomings listed are not only associated with the Gemini 
system, but rather apply to all "bolt-on" multilevel secure systems. 
They are not indicative of a lack of sophistication, but of the 


complexity of providing multilevel security. 


VI. CONCLUSION 


A. CONCLUDING REMARKS 

The original tntent of this paper was to examine the integration of 
the Gemini Trusted Multiple Microcomputer Base into the W.A.R. lab and 
to develop a framework for ee the facility into a multilevel 
secure environment. During the research phase of preparing this paper, 
it was discovered that the so-called “bolt-on" security systems 
currently available are extremely limited as a means tor creating a 
multilevel secure environment it the goal is to use the processing 
capability and resident software of existing computing systems. Thus, 
the direction of this paper was changed to assess the security risk 
currently associated with the W.A.R. lab and to establish bounds for the 
integration ot the Gemini system. 

The need for a multilevel secure environment continues to be a 
limiting factor in the realization of the full potential of automated 
data processing systems used for sensitive information. Given the 
complexity of the security problem and the safeguards that are enforced 
by the Trusted Computing Base «TCBD, it is unlikely that an» retrotitted 
security system can be meshed with an existing computer system and its 
resident software to produce a complete multilevel secure environment. 
"Bottom-up" design, as seen in the Blacker project, appears to be the 


best alternative for very large information processing systems. 


25 


The integration of the Gemini Trusted Multiple Microcomputer Base 
into the W.A.R. lab will not convert the facility into a complete 
multilevel SEG environment. However, the Gemini system is a 
formidable information processing system that can provide a multilevel 
secure environment by itself. Also, the Gemini systems capabilities 
can be greatly enhanced by the addition of multiple processors and 
information storage devices. Discounting the research opportunities, 
the Gemini system’s greatest contribution to the W.A.R. lab will be its 
role as a secure guard for enforcing discretionary access. 

B. RECOMMENDATIONS FOR FOLLOW-ON STUDY 

The Gemini system will provide an excellent vehicle for graduate 
level research for both centralized and distributed secure information 
processing in the C31 environment. The Computer Science Department is 
currently conducting research on a Gemini system that was recently . 
acquired; thus, a close liaison must be maintained with the Computer 
Science Department to prevent duplication of effort. A clear divisian 
of work should be established. The Command and Control curriculum 
should restrict research projects to those that are application ‘system 
level) or security policy oriented. 

The tollowing is a suggestive list of feasible areas of study: 


1. Inteaqration into existin untrusted svstemz - There are 


many untrusted information processing systems within the 
Department of Defense that could benefit from "guard" 
technology. The need to pass information between untrusted 
systems at difterent security levels is qreat and becoming 
increasingly more necessary at all levels within the armed 
forces, This ability could also eliminate some of the 
redundancy seen in existing systems. The development and 
demonstration of a trusted "guard" device between The Marine 
Corps Tactical Combat System ¿TCO) and the Marine Air Ground 
Intelligence System «MAGIS? is one example. 





77 


MAGIS is an integrated tactical data system which will 
provide the Marine commander with timely, accurate and 
complete all-source intelligence on which to base tactical 
decisions. TCO will be an on-line, interactive, secure 
tactical command and control system desiqned to enhance the 
Capability of the commander and his operational staft to 
conduct combat operations and planning. TCO’s role is below 
wing and division level where MAGIS is not resident. The 
need exists for a security device which provides a virtual 
link between end-user (TCO) to end-user (MAGIS) but can 
cause a physical break in order to allow messaqe traffic 
between SCI] and non-SCI systems. The TCO will serve as the 
primary source of information for MAGIS. 


rh 


Reduction in throughput .- Obviously, the additional 
processing required to enforce a well-formulated security 
policy reduces the total throughput of the system. The 
deqree of security labelling can range from the byte level, 
to the word level, to the file level. The lower the level 
that labelling is required, the greater the cost in 
throughput time. Research is needed to establish how much 
deqradation in throughput can be tolerated for individual 
applications and to examine the trade-offs. 


3. Policies concerning data aggregation - It is possible for 
an aggregate set of data elements to be of a higher 
sensitivity level than those data elements taken 
individually. Areas where this situation is likely to be a 
problem need to be identified and safequards developed. 
Regardless of the area of study, the researcher must be aware of the 
considerations discussed during the risk assessment chapter and answer 
the question: "ls the level of effort (both time and money) required to 


achieve the desired security environment commensurate to the value of 


the protected information?" 


78 


APPENDIX A - SECURITY MODES OF OPERATION 


DoD computer security policy identifies five modes ot operation 


accredit automated systems that process classified information: 


Dedicated - All system equipment is used exclusively by that 
system and all user’s have equal access (both level: ot 
classification and need-to-know) to the information on that 
System. 


System High - All system equipment is protected at the level 
of the most sensitive information that is processed by that 
equipment. Users are cleared to that level, but ma» not meet 
need-to-Know requirements for some of the information. 


Multilevel - The environment is the same as the controlled - 
users without the proper level of clearance and/or need-to-know 
for all information that is processed on the system; however, in 
this mode, the operating system and associated system software 
are responsible for the separation of users and classified 
material. 


Controlled - System users do mot necessarily have the proper 
level of clearance and/or need-to-know tor all information that 
is processed on the system. The burden of separation of users 
and classified information is not essentially under operating 
system control. 


Compartmented - System allows two or more types of 
compartmented information or any one type of compartmented 
information with other than compartmented information to be 
processed. System access is secured to at least Top Secret, but 
all users need not be formally authorized access to all types of 
compartmented information being processed and/or stored in the 
system. 


Additional policies may be defined to reflect the needs 


Individual services. 


2 


at 


to 


the 


APPENDIX B - SECURITY CLEARANCES 


The following is a detailed description of security clearances as 
used by the DoD Computer Security Center: 


a. Uncleared tU) - Personnel with no clearance or 
authorization. Permitted access to any Intormation tor 
which there are no specified controls, such as openly 
published information. 


b. Unclassified Information (N) - Personnel who are authorized 
access to sensitive unclassified ‘e.g., For Official Use 
Unly (FOUD)) information, either by an explicit official 
authorization or by an implicit derived from official 
assignments or responsibilities. 


c. Confidential Clearance (C) - Requires U.S. citizenship and 
typically some limited records checking. In some cases, a 
National Agency Check (NAC) is required (e.g., tor U.S. 
citizens employed by colleges or universities). 


d. Secret Clearance ‘S) - Typically requires a NAC, which 
consists of searching the Federal Bureau ot Investigation 
fingerprint and investigative files and the Defense Central 
Index of Investigations. In some cases, ‘further 
investigation is required. 


e. Top Secret Clearance based on a current  Backgrc.ond 


Investigation ‘TS*BI)) - Requires and investigation that 
consists of a NAC, personal contacts, record searches, and 
written inquiries. A BI typically includes an 


investigation extending back 3 years, often with a spot 
check investigation extending back 15 years. 


tf. Top Secret Clearance based on a current Special Background 
Investigation (TS(SBIJ) - Requires an investigation that, 
in addition to the investigation for a BI, includes 
additional checks on the subjects immediate famil» (‘if 
foreign born) and spouse and neighborhood investigations to 
verify each of the subjects former residences in the 
United States where he resided six months or more. an SBI 
typically includes an investigation extending back 15 
Years. "Ref 105p. 221 


SU 


The following two categories are actually authorizations rather than 
clearance levels, but they are included to emphasize their importance. 

o. One category (10) - In addition to a TS¢SBI) clearance, 
written authorization for access to one category of 
information is required. Authorizations are the access 
rights granted to a user by a responsible individual ‘e.q., 
security officer). 

h. Multiple categories (MC) - In addition to  TS«SBI) 
clearance, written authorization for access to multiple 
categories of information is required. (Ref. 10:p. 281] 

Data sensitivies or classifications can also be defined that are grouped > 


using the same hierarchy as above, but are not limited to these 


categories. NOFORN is one such nonhierarchical sensitivity category. 


APPENDIX C - PROJECTS TO DEVEPOPSTRUSTEDESISITENS 


Appendix C consists of three tables extracted from Car MER 
Landwehr^s "The Best Available Technology for Computer Security" which 
appeared in the July 17283 issue of Computer magazine. 

Table C.i - Completed Projects to Develop Trusted Systems 


Table C.2 - Projects Underway to Develop Trusted Systems 


Table €.3 - Abbreviations Used in Appendix C 


cq 
n3 
mn” 














Uuoije?nid3^ 3002 JOjejnpow 
| crane 'Siepieu uo Áj231p MILI sexaj MOLÍ 
(sisol 2 mni $24 AsdAn 11-187 AsdÁn AsdAg $35532010 peisni| sbessou 1314 “AUN ÁAEN 1961 pesson 
b 
| 13u13% 
i fiaa% jeasey ¡9u194 ÁpLINIAS «UN Yoms joxord 3.01 SUONPN UNO) 
Qog 00S 28 "m"wl SOA YN 11-404 ON ON YIN oneg 91n585 (9^3 ww 30S 000 eit] 20S : 
99v4 
‘989 
TELES) wse dll of-euy gjn123|1q2)€ Yrs 1949°d 'yotum $.04 
sansisn2 £9 -"nwl ¿ j 11-404 SOA SOA Bu ÁNNI 9INIIS 1IAININA WASIMA v20 aie) WW UIDOINY 
91112212)€ 
'Óut1 Ayiqede uo 
ybly "4130 $9559201d p3isnil ur Suotjealunumuim? 10) Bursaoy Buisaoy 
i ¿ 29 waists saa ¿ 098) ON PUUHAA 19u34 Aq)n22S waisÁs Ounerado yeiisuqu? yeiisin 2 6461 soweg 
wasÁs 
yausay Paseq ¡00495 abes 
¡00495 [iaaa -30559901001 31 uaisÁs 3p 9d Je^iu21y 
94;e^eN £g -"nw| oueg use 0009 6017 ON ON “IN! eau DE GNIS ¡LALN Aaen 9161 UNNS 
| IIMIIINYIJO Angas 
sens [panon uow FUIYICUS yum Buneysau] $.04 
vSS023 1-9 -uo3| SOA 2-SW) L-MAN/NY ON ON Jenga vo Paseg 9sodind |e13u31) Y55024 Aaen -DIN AS 
¡9u13400N3SÓ UO ju3umnadxa T. MENTES] 
yb 4' 1428 MNA 398919161 12072» wasÁs abessow ‘nag ÁAEN $04 9bessaw 
ed) 2-9 wasig — S94 ssug 01-dOd ON ON Ájin595 patejnuis 910935 ¡IAINUNIA 18) 'vduvo $187 Aet 
xium 
yeaseg 101ejntug rtuf) Anna3s $.04 $N235 2120 
v)n LY ON Ou) -v12n 11-40d euoS SOA snid 19us9x ÁliiMoas yna xii YTN vduvg Ape v12n 
194134 
> siseg Se japow jausay $04 piyroqsseig 
aw obey ON Ou 11-3nS 11-40d yenuew SOA ejnpede1-u93g Ápjin228 9dÁAIoto)d Sl" 4¥ Ápe3 $11 
| 19359) goal Sju3uw3)ueyu3 
2504Y paon "04/9S4g jepou ejnoe 427-1198 Ápuna3s una Duneys IIA pIMÁJUOH $04 Áyuna3s 
| vobeluay 2-9 -UO) SOA 1/14 0819 N9MÁQUOH ON ON 301 S4399Y) 101194 -9Us1) aSodsnd-jes9U99 ‘yamAauonH "Jv Ápe3 SININ Y 
i 20s v2 yory 09€/10N Sidalqo peraqe; 19p0w Ajun2as uia Ouneus 
| — 'uofeiusd 1-9 wasis SoA use 09t / 8I ON ON Je UI 190 M-YÓ IN -8uit| 3sodind-je;au3!) 905 vduvg 1951 05 -Idapy 
SUONeneSu 12A u3) “ya Bue) IEMDICH voned 2205 yieorddy sye09 saping si0suods paie polod 
153 boid -HHA jeuo4 -iul i 








Í — A Cee cc d m -— — — ee 


! SWALSAS AJLSNYL dOT3NSd OL SLOBLOYd Q3131dHO23 - 1*2 31891 








83 





s qmm- e - -———— 














i SO amua 
[194% (^9U) enue Ayan pue 
tv aw] — 8N epy 19MÁJUOH SOA SOA Ayizads Anjewso4 
}19A2) p 
13n3 91e ^pieu aJeq uo 
{faen} ca mw) se pu2n3 11-151 930 [s2Al SOA $2$$920)d paiSni, 
I 
1 
f (1949 | ÁsdÁ9 j3usa4 Ayingas uO 
wersvog (C8 -ww|  2N 3 woos j i $34 $9$5220)d paisnij 
| | 
| (Auo SWA) 
| j9u12* pimq 
:  |Mivo JAjuo "ISWA “02-5d01) 
s-y {1909 LEXVA ' jausay LITE $334) ÁnIMJas 
(930] -1-8 -mowl JN é 02-930 saal soal einpedey-3q Moray 
| dil of eui 
Ipauo» ZEN. SIS Sainpnin paisn uy 
lvo owag] tw — -vo9] IN yeaseg it-d0d | sy $1. (angl pusay AINI 
l 
liana | AsdAg AsdÁg SOSA vo 
e 158 -mwi 9N  eimpow') M-düd ^ eus euios $9$52201d paisni) 
| 9100 
i -jakog 1032395 
[ancy y sanas | eu su 91n15312ie Daseq 
Iseus 2vS] 1v. nw] 3N wse war : SOA SOA -19UI24-ÁY110998 
. J 92UP|SISSP ajPpieu 
vox607 3 | 9100 '$3552201d paisnin 
33S) 000 ELE] Jesed 919437 ; .19k0g ¡en ods “JOUR HIUID HUY ULM 
amw Y mawi 3N ON Ij9wAauoH | SOA SOA j2ui94 Awingas 
| woow $35$3I010 PASAN] 
BA lonas -340g iads "JORNU UN tun 
vozo) py anw) oN empon 11-40 SOA $24 190134 ANIIS 
99 12109 jenuew SdUTYIEIU jen 
yusu 22 ¿i Sa use *C/11-düd awos awos Gunuawadnn (2112 
sole (mus 
{12491 dli or -eu1 QUIYIPIY ¡PALIIA 01 
305 “041 Lv mmm) owag Er ¡emos leery WEI SOA $8A 19U199 ÁNIMIIS 1110119 
SuOteeISU; 1e^3 MIJ Vd ve] 91e MpIeH ITE dads uaeorddy 


153 601g -MA jeu04 









- - x E EE eee nef 




















a 


SW3LSAS G3LSNYL JOTINIA OL AYMAIJONN SLIIFOYA 








wasáÁs 
bunesado paseq NIMÁJUOH 
-Ánpqede? 370226 '30v 4 
135N abuiS 10) dieus 
wa¡sÁs pieno "E 
$jeunua| 
PU? 1504 UIIM| 19MÁ3LOW 
-29 DNLI 191114 *“vodbo7 
" 
02-Sd01 "SWA 01 
Ánin395 ppy 930 
SODWAAM 101 
DUI JUO! 419M1 (110) 
9INIIS |9^31tP JN voidwo4 
SSWgO UIIMI30 
EET uo3601 
105533010 
SUONPIUNWIWOI WS 
91335 "AU 
XINA 21335 
"2dA10101d VONINDOIS 1IMÁJVOH 
XINN 21335 von} 
*90Á10101d VONINDOIS 320v 4 
YINMS 194 1P 0 
vondÁ) cua pua Puy 1HSY 
Ánunoas yum Gurus 
-9ui 3sodind-je13u039 30S 
$|eot siaping 





C omnes ee 





VSN 0861 
ÁAEN 0861 
WAF/SIM 
‘vd 0861 
330 6461 
$.04 
v0 9187 
YduvQ s.04 
“AACN ae) 
$.02 
JY 9127 
AAeN YSN 
‘vId 
Vdvd s.04 
'W3^A2u0H 3127 
ÁAEN 
'Vduvg $.04 
'YSN 9127 
JUSH 2165 
v30 
dV 
'vduvü 9/61 
ssosuods paie 
-ttul 


- 29 31991 


w 











ware — 


SQSd 


pleno 191: 


pieng 
1WO0ISJOY4 i 
Í 

i 

$122loJq 

AMNIS 
$d 930. 


I 
i 
i 


34N/S02. 


peng, 
i 


i 
i 


uipoeS | 


SOSA 


(3NS) NSdd 


QLE/WAX 


1931014 


84 








| (3usu] tv 
| 


! 


| 
| (009) 30S Iy 
| 


|19n9)] 
UNA | 


[¿19n31 
ny) 


[aaa 
mny] 


[13431 
-mnw] 


[panon 


JN  [pu»n3] 

TA? 
?N Wd 
ON je2sed 
SA einpoyy 


-— + ~~ 


V -düd 


982 Pul 


9808 19181 


19808 ¡91u1) 


11-151 


0£4 /L-XYA 





IvsvN] tv. 09] JN L 982 m | SOA 


SvoNeeisuy )^3 
453 





we) y mn 


bosd 


VIMDITH 


19U [2901 waishs 
lonon3 990113141 9INDIS jaAay NY {uv 81336 
| Isea] saa] WOMIIU PAISNIE esod.nd-[c;9uat) ' Pr1 10S 3uSu 2861 painquisig 
iss $Inj28lu»)e walsAs Burnjado dio? d10) 
ON sul ¡9u193 ÁNINIIS 9-09) 91995 tuw) juturat) 2861 sas) 
i 
: uone»nuaue 
{ paseg-uodAJ ue 9seqeijcp PUR AJOMIIU 
ON ON "595523010 P2I5N3] UIIMIIQ PIENO 2 ÁS 1861 peng uoy 
| of -euy 
dll Sie jeuiune t 
( Jets sis - 9)JEMp)EU 21eQ UO {peni vones aseaiay 
| Sl su sessazoid paisniy 9SP93) POISNI] 905 90S 1861 9)n2?S 20S 
| JONUOW jyoje 1a do ou 
| penuew [ie»eds ¥SE] paisni] uo SUONPIUAWWOI 42146 E 
sul $8s5920)d paisni| IS0u-1eUmU)J9] 131114 989 WSWN Ápe3 peng dvy¥ 
vont? 3005 u»eo.ddy sito si901ng $20SU00S pere pelo 
“YUBA ewwa avu] 


LP — 9 


——— 


(Q30N14N02) SW31SAS Q31SnML dO1736^30 O4 AvmI30aNn SLIO3fOMd 








- £^ 38V 





85 


TABLE C.3 - ABBREVIATIONS USED IN APPENDIX C 


Notes: 


— — o 


? dala unknown or uncertain 
[] enclosed data indicates plans, not accomplishments 


Abbreviations: 

AF Air Force 

AFDSC Air Force Data Services Center 

asm Assembly language (fos machine indicated) 

88N Bolt Beranek and Newman, Inc. 

Boyer-Moore Boyer-Moore theorem prover (SRI) 

CIA Central Intelligence Agency 

Cincpac Commander-in-Chiet. Pacitic 

CSC Computer Sciences Corp. 

DARPA Defense Advanced Research Projects Agency 
DEC Digital Equipment Corp. 

Demo System built as prototype or demonstrator only 
OCA Defense Communications Agency 

FACC Ford Aerospace and Comm. Corp. 

FCOSSA Fleet Combat Direction Systems Support Activity 
Forscom Forces Command (Army) 

ISI Information Sciences Institute 

ITP Interactive theorem prover (SOC) 

MARI Microprocessor Applications Research Institute (England) 
MOL / 360 Machine Oriented Language for 18M/360 

NASA National Aeronautics and Space Administration 
NB System never built 

NC System not yet complele enough for evaluation 
NSA National Security Agency 

RSRE Royal Signals and Radar Establishment (Malvern, England) 
SDC System Development Corporation 

SOL System Designers. Ltd. (England) 

SUS Second-level specification 

SRI SR] International 

TLS Top-level specification 

VMS ] Operating system for OEC VAX computer 
WIS/JPM WWMCCS joint program manager 

WSE WWMCCS system engineer 

WWMCCS World-Wide Military Command and Control System 
3LS Third-level specification 


— € — - — 


86 


APPENDIX D - W.A.R. LAB COMPUTING RESOURCES 


A. PROCESSING HARDWARE 
(1) VAX - 117780 with: 
6 MB Main Memory 
1200 MB Virtual Disk Memory 
High Speed Printer 
16 Terminals 
(3) RAMTEK Hi-Res Graphics Systems with: 
Dual Monitors 
Tablets 
43) WICAT/NAVTAG Microprocessor-based Tactical Trainers 
B. COMMUNICATION HARDWARE 
(1) Private Line Interface PLI) 
11) Crypto Generator £(K6-34) 
(1) ARPANET IMP <C-30) 
C. SOFTWARE/FIRMWARE 
VAX VMS Operating System with: 
Fortran 77 Compiler (For NIWISS/IBGTT Development) 
Simecript Compiler ‘For JTLS Development? 
Berkeley UNIX 4.1 BSD) with: 
C Compiler 
Pascal Compiler 


Lisp Environment 


ca 
~J 


Graphics Tools Package ¢DI-3000) 
Statistical Tools Package «(SPSS-X) 
D. SIMULATIONS/MODELS 
NWISS <IBGTT) 
JILS 
COMEL 
WAAM (Incomplete) 
JANUS (Replay Files Only) 
Es MICROSYSTEMS 
Fleet Mission Program Library 
Decision Aids Implemented Un: 
HP 7020 (Standard) 
Others (Wang, I OSA. 
NAUTAG 
Surface Warfare Trainer 
Microcomputer Graphics 


Videodisc Map Qverlay 


88 


APPENDIX E - GEMINI TRUSTED MULTIPLE MICROCOMPUTER BASE - 
PRODUCT DESCRIPTION 





CAPABILITIES: 

. Concurrent computing. Gemini operating system supports up to ¢ 
powerful iAàPX286 processors for combined parallel and pipeline 
concurrent processing. i 

« Flexible multilevel security. Designed as DoD Class BY 
multiprocessing security Kernel, coded in Pascal, with 
hardware-supported DES encryption. 

Configuration independence. Supports various configurations 
from a real-time dedicated controller to a multi-user 
workstation. 

Self-hosted software development. Disk-based CP/M environment 
and Gemini tocis for applications in Pascal, JANUS ADA, C, PL/I 
and FORTRAN. 

ARCHITECTURE: 
JEEE Standard 796 Multibus. 


Microcomputers based on the Intel iAPX28ó microprocessor with 
CPU and MMU on one chip. 


Up to 8 microcomputers tightly coupled on bus. 
Up to 2 Mbytes local RAM per microcomputer. 
Up to 8 Mbytes shared qlobal memory per system. 


Up to 4 disk drives with any mix of fixed Winchester, removable 
Winchester and floppy diskettes. 


Up to 24 RS-232 serial 1/0 interface ports. 
Real-time calendar clock with battery backup. 
High speed DES data encryption hardware. 


Non-volatile system password and encryption Key storage. 


99 


SYSTEM SOFTWARE: 


Gemini Multiprocessing Secure Operating System  (GEMSOS). 
Compatible in all configurations. 


. Separation and sharing of data based on sensitivity and 
integrity levels and compartments. 


DoD Computer Security Center Development Product Evaluation in 
progress. 


Convenient interface to  GEMSOS for concurrent computing 
application programs in several programming languages. 


Gemini development tools for concurrent computing applications. 


Same GEMSOS on every processor. Completely distributed 
operating system. 


“Ct 
Cc 


AIM REFERENCES 


Klein, Melville H., "Computer Security", Issues in C3I Program 
Management, Ed. Jon L. Boyes, AFCEA International Press, 1984. 


Pritchard, J. A., Computer Security: Risk Management in Action, NCC 
Publications, 1978. 


Landwehr, Carl E., "The Best Available Technology tor Computer 
Security", Computer, Vol. 16, No. 7, July 1983. 


Ames, Jr., Stanley R., Gasser, Morrie, and Schell, Roger R., 
"Security Kernel Design and Implementation: An Introduction", 
Computer, Vol. 16, No. 7, July 1983. 


Scharf, James D., Wallentine, Virgil, and Fisher, Paul S., "DoD 
Network Security Considerations", Advances in Computer Security 


Management - Volume _1, Ed. Thomas A. Rullo, Heyden & Son, Inc., 
1980. 


DoD Computer Security Center, Department ot Defense Trusted 
Computer System Evaluation Criteria, USC-STD-001-83, 15 August 
1783. 


DoD Computer Security Center, Department of Defense Trusted Network 
Evaluation Criteria, (Draft) 29 July 1985. 


Nelms, Kenneth L., Security/Privacy Considerations in Data 
Processing, Master’s Thesis, Naval Postgraduate School, Monterey, 
California, March 1979. 


Hellina, William D., Computer Security for the Computer Systems 
Manager, Master’s Thesis, Naval Postgraduate School, Monterey, 
California, December 1982, 





DoD Computer Security Center, Technical Rationale Behind 
CSC-STD-003: Computer Security Requirements -- Guidance tor 
Apply: the Department of Defense Trusted Computer System 
Evaluation Criteria in Specific Environments, CSC-STD-004-85, 23 
June 1983. 


















Naval Research Laboratory Report 8897, An Approach to Determining 


Computer Security Requirements for Navy Systems, by Carl E. 
Landwehr and H. O. Lubbes, 13 May 1985. 


?1 


n3 


INITIAL DISTRIBUTION 


Defense Technical Information Center 
Cameron Station 
Alexandria, Virginia 22304-6145 


Library, Code 0142 
Naval Postgraduate School 


Monterey, California 93943-5002 


Major Thomas J. Brown, Code 62 Bb 


EST 


No. Copies 


n3 


n 


Command, Control, and Communications Academic Group 


Naval Postgraduate School 
Monterey, California 92743-3000 


Professor Michael G. Sovereign, Code 74 
Chairman 


O 


Command, Control, and Communications Academic Group 


Naval Postgraduated School 
Monterey, California 93943-5000 


CPT James A. Wall 
P.O. Box 644 
Ft. Knox, Kentucky 40121 


SJ 
n3 





>) 














Thesis 
W22228 


Cel 


Wall 
An investigation of 
multilevel security 
and its application in 
the Wargaming, 
Research, and Analysis 
(W.A.R) lab. 


Cy 



































































































































































" 
e 2 - P . ! 
= e t . > L LI j P4 B 
= a a P D P" 
- a P " ed a cmo m P st. usted 
bd B nd PS » "7 P sp; eur amt a o 
a E La Mn e Ld >e 
ES e in: => " A e "a 
ys ~~ * s - , E E - - 
e . - a v EN A i " r D LT hd yr 
= - 
» ba . = e . LÀ . - Ll ..o LI . = = - - - - 
^ JS " la od ^- - 
. . , - "- P o go y eee " B 
- e E n » E a r ed E m 
TE a ` " = x ^ = A — = = Phe 
- . LI - i g E " > adii d - G P 
- LI = - p P P bad - 
E > " R ] -.. ° 
5 a A AS a'a e ^ , » Y " e. - e e » = 4 P g 
so tas d * Ps n "—— eo 
" - - . . + a " r y . - - - - Pd " E 
E = ha m r m ? » = pr ay -- E 
P a A qa Po pe MES - - 
E g » E d . P4 " -- 
uw m =. eo wfs - E - es °. - Im æ » ee es? + ùa a . - 
- * E E < a " y . E - ey E ^x p 
a Se. hd a . B e e "] r ° > > r =e Ls ax deca 
== hes p .». P ec .. y e * =s 
m P oe d 4 » " . > m .- 
r] A qa de - P a "m E °R - A - E m" -5 
d M m L da, G P" - m o E 
aid bí bi ¢ .. .. . LI Ti mn TE " n > » zl rs d -. *.. r 
"DT ¿"e s a " L n E ee T -- 
Le = E m - ~ > LS > - v.n "d cu " "PT * 4 a o^ .” a ? P A -- 
li “e - th - > PX P - E . L = H Tl > . - E . 
+ Nm . s ~ ne " * - » y ^^ di n " PY E ad .. "I © 
hdd . . m d he. .^ “ TER ” - ... - 
y a ee A " d " m F - P 5 , pa > Ld E ` ~ Jod 
` .- e” - - = » E 2 E . se. . ... = ay) 
LES PE . A ES - = ` E m = "T a.s P -— » E y , "E "I ” 7 sg a - e . > .- 
m c - e d+ a 5 s "I - a > ‘ e P e la E E i 
> - Lu , ` ~ P E 4 cs S V * z 5 P Fos A 5 ^ take ... se a o > 
e a g E [NS -~to Ls *- loli T " - a. O = = . E * « 
te et E A MA. = P TOP * ° ø " pe p t ¿o is ea .. » ua. -— LL CET. 
MEE ie - q ] a SA de P = d PPPT " Lr diis. zi e, = = 7 «0 hd 
da = Da Ls e zu Td id afat » y PN E r N " " m ee $9 d a) yO " > . P to a e. E m IET an 
dins = LS. S —€— ol LES wt » T P m e P ` sre ceo .. a s A ae a Ld A » Y - E - p 
Ce E E "T " a “ere <> re EL . Put ro n DE = » ote E "1 R m. PT .. L. g . E LIS Jb ES Lr d AA a "Pm 
we.* LX ELLE. me, dm IM St LEM ECL had y P arot - r = EN A 5. sn n . PE. PT Las ^ P " Le ad > al T te E pem >... - . es 
Ds qe de e A ba 9. di. d, es, a, = « e "LE. i CETE T _ x » " "v r -" " a " P è oad = r s a "IT LJ - - ar. r I - TE aa "T S add tad - A Poe. - giao Pl de > "i 
lo a notara? S 9 LD wm es = $e Y E PE - s " . ^ e 7; w " UE "y a P " " r s ian A E e m ” as e - rl . - €— " " 
n dun ins ww = “ -— * La L I LL mm.de * 9a. 4 - ~ E 6 ET: " .. " a "T e rr Arh Or des rt owe y ^ . E bodie PP A did ai 
Lie i ea Da 0 P e edil De m tee AS Oe be a ales” - sme Id P ts - à - " " arte LT " T A rd p . *« de cm ph tt e as æ E ra Pd 
Lad e n A AS dd a- FA e "a A dii: "RD V » ato r y A s A A r » > $ A y "TTA e o CT ot " as de A dal eed iw "d i dl Le" innen de ale -— —— 
PU a do y PU TEE ID te — q e. fe d yee a, fot s = ems 5 7 EV py E » Lo Tae are TT ot lll alate " NM 
ei hiar id ET PT is D ET id is a A ii de dd Je». $ : v > . P EN . aJ a d í E 2 LESE gu -—— TL rend G i ». att ER om --" 
A uL TI NE Jue duet. rt oo Lr eate abinde e ins q 82 bed ye m dn A A RN didi p fe * a æ - ar " "e 7 . - E - A e id T bad medizin. EH bs? % oo rts -- A d 
"dem - Pep e dbi w io rm ba vr f prof ads 6 cad, 8 " 3 mL A A n P > 7s e : A m P " "T P P - ^ EP ad nd p» c mm PE > pia S PA a E 
e e o a o A A hill UA O e o | MY ici tab tals A EA ii .. A A ii A "TN v r " E E "A .. sp Ea P IX Lor qu Pria vod e m 0 biu Ll Nd M n 
i mg wpm amn th igh TT a 3 we eid MSIE ad y : - n 1 s " - P nd PS E i ae PI id d Lu e... — A nl A A A red 
A E | A s nene nappe o da dee LII EE DTE m ay PA T * = T p s m "T age » " aw wo" m" "ILS p" E " z T E ann daga seid ti E RA - em duo 5n 
Ld eel LLL id pape siis . on =a A AAA A -— » y de . , - LL a a y I "LE ve do - rn alos an gags a PA O ad 
A E «d» "t "OT Ld a "n a e " a Por [OY P ety > A e e qe po, edo - oli DT PA bina 
9. - ra LS as L a esed ot, " "e = m r ‘ "11 s P ai ai a d TT Td a ae a/a ee AA ha >. r- ve - Len 
on - x id - de de + Dual > - Ll 1: E -e LT - -— T Lo e f E P " A TP i 2 A y " ee n d m r EE a) LI. dd iati - -. a 
E de e ua * PA LC X e a ye " om *~ m" TS r ANS — = 1 A A s » wi T d " "P "P Ed Of. pe Kt g- orn gee 4 ` " bel e > . - y - 
e. B e m“ : . — am = Tr PL P " n » . . -0 P A " p PY. P B od "PL "^ se TE r ` ole " de » «e P LEAD ¿a A a 
dan " JA =. B E 7 " e m, ^. a Ay ^ P z x = pu " > e " rôs a ra soy? r T: > " ra pu . pá PT d aa a "SPI anu PT dd 
nea LI ne ESL te ni eed dira e En Cu Pe e O PM L qw WU > m P E - P E ara r . Py ae E ri PRE isa & Lodi: "PL Eel diiit Per enia ES iud he 
ni n hi. ta T a Los e Bi) * JE E .* AAA iia — E" e^ : ^. PE S mP e pa -- m > ete ed 9 LL d mne in Met So d PAPER rest 
EM Sj Un De PR AA io b "T " AN P de 3 e — C n ^ y V ae 4 P b " pa Y "e PT ue — o. um ——— did "T d^ A. A - ur o po AAA li ego Ja o ~~ ** 
yay Outer opty ems aF bs WT TT is we le Pr PE A PA ^ Melon . De y > - Wi af > ^" 5 =, F od 98 P p bet 4 Sa eur e ^ e p AP mg æ aA PA id fo a P pond lind 
"nsi cn pnm is ad nde re T papap iii, "AA q ^ * » S) T + "T s P PeP p Pe) of de 9 — PP a anos " - E Ck a oie “pes On ad es e 
» as ida ed MN aud Jette PL d —€ ae a VEI E a TTE . y "mw D - T - * pa - " paa AA AA Y Oe eee © e Pp Pune " Po masara o d p bn ibn 
"hxc deti oli > ea to Lado oi ab i o dió bdo AR d t e METELLI d. E IL A E va a Tr , mœ or PIE" 7r E ted |o. — tat — Pe P PP T P dtd IA Y a Mp CAI a 
e inse ed itn d A a hee A tae q HA, Y PS A SP ~ T fr E " , " T N hs ae es ** > O IR ental * ye "PH T ad pour t di A rdc sull ertt yu on m eto 
"I s «e, Vn oc LET Tra m»? TIT inde med s. Tu 9 sm t — m atv PA ra w»3./.e.* da ls bd E * "a0 di a PL : a. Y E E Ce Pre E we bs dee A ed nlsi EL TR ll PR TA ated P atado eq RA a ap grep hat) A AR P m P m.s 
y hio A n CL TA IT hs LR A els c EE dd - (dp ei, € TL eccL Rl ue EP S edidi "X m n á SA r is L P » x " e E gp onibus n rm PE a P git o- a ne d nap y ai du anni mn adi nd ea AAA A adel 
a "ETT ee he he A dd TT CT ac 4e v € Fu a PN em . oU - Ae > " " PI FT m gy P i ra "Tat, al d E prd pup tetrad a ye segs po aho n ERES E dented AAA T is A rn poris wm 
«dede i T A tel a — P M A T * ^w x — de La 0 - E -—— f "v y — D P d: PUMP LLLI rad — eg se ce PRES Le. a dr m A a m 1. n distin 
Le d, €t Pi y, re Y WII a RRA o dt MO g a= EPIS d " " TEI ” A PF s r ET Toin G Pe PPR ee Oe Tl Pot mt aa aero eae Ko owen gta cre” PAE tido tt e iid ri 
>- PA id Ad nd de dh ~ Cia AI A a Len dr a LL " G , " TRT tae > Eee a Ae 5^ y fo se ero see Pg a " PTT 9-4 A A ira oe PRESS y AD 
y es PARA bilans alie T Li P e oi ind jt SE y m à w* » A r P a b s a nn ud rd PP du HA TS >P Eid pesa dimi yn vrbe tp aat parar ape O Quum Jte 
== "ede toda ad tun tb veu Vu te 9 P «fs Sa Fh Lidia anb - r , 7 Ls - y o r p P. "T". m PT er) ea E nu sd did pq E a Nite ahem A teeta A A A pd 
> — AAA ar a a Lula DAA e o tá tv "oum A m " ow -— n " A P path? qur S IE d AAA O Soo nd errr E a pap Y e foam rts toma pS E A npn duis e 
A 7 TI T "acer ndi he AAA a "T m ... c $ -— PA ae " M F f. Pap per hy y . E pal v It cde a Pr Ana faga Bd Pad PP LE d P dpi pu ee ae a a a 
Q = — po uer XU nsi dip as late de Mr Mei d ian Ple — 29 wie. whe Jaf wey ne - Ld * - y n e P Lr ‘ "2. P TT Seid PA TR pr gn gos gt e AS rm EP Ld d PY LS dt * guo. ad ops m s ap e do A a d sni iat RR ÓN E 
a === m "um ema? CA hee T T a DE " e al, mm m e (v v ¿"e P PW è " e ^» p > was fuu P pev x "m J p ” en se y "m T a P^ pe pur pham p rump mu RS aah eee MP IS dabas v > PLA do Li d T - PA E 
; === — O AMA iia o FA di rU Eod ah hale prn iiis, te T hr o? ee eh r "m a "TA" "n Twp our vet t bedhe pup A A dal A A s aye re fh A A al a ae SA E e ra apum niar 
(0 —Á—Á > Qu A AA a A eddie s — e T Le da 4 - a ar) PAS ~ Tar r Y P y P s A pear raid eal end PARES Addie pape" m Bp JO Ia o UA ur oca ren rl 
E —— iain trie eee el AA A nian mel er eos * MS ER ES E ` n "is » r pir 0-29 "T" P nor p me" "PL AS E a a PAIS a A IS til RD is ió a mid RT ad ta catia t o 
Qo - ==> 00 CC RA a aera PA he A A LA d ef X ow w 4 F » P $ paras , P y P" Pd Ned d a O ad e hath dada ES 4 A Farm PRÉ A ahaa ptite Aa 
> ——— — ==> tn o tr O A O Al Pe lahat me 1 — a » m " $ 3 - ^ e puce m » Roa S an Leos wher tented Pe ST ig a ee ¿UN de EPT a A A ÚS i 
`> Ha 00 «c A e atin ie A T O o PA E a s.m yA * lugs = = v d > 2 Po ACA e E A Le M? Paten prat tace ad al Mare ta ar? PO ar AI OL iene Oe rr qaigee 
0 = = = CC MA n dioit ir pp bird eti edi se u^ reda *a^ PI "SL Pd * s) 4 ds Gi - dicas adii did ek pe gl AAA PEA EE dtp t AAN A IAN PA idiot o po en po in ER e, e agan e 
— ——— == O PEI iat AR ed, pedal A dd dini de e FEAR TS bed E we Se p Da » ppt cr n T "V YoT po F9 pu em o o dire A AR atur PA aito A A iai A d dn md 
Far) == eo Snape pees da to ió ap A kt bee PARA eo eee ad eru L Paral LI P d é yw ow P AA id sv - z jo. gs e Pm n go pn al tiated amelie A A taal d AR ibid ANS AA pipi "yr DEP ug ePi PE 
— — (O PA a ipit O a Sd pi e A dp dd. "TELS "T € - we ts * vr ee be he B Pig didnt dia E — P T "TET E ald PAI do A A aio PRA PS nar ceder IN 
=y Ta = j FORA al aain A a ho Ly Z A 4 de a - N « G LZ Le C r Ld ira Psion eS dh aufus n os n PH PERRA r^ otto rero A 2» * 42 di Mai piper p pe qaom ipt pap dn 
= S WO mea a hd pei d Dr a Rn A o bg dd ia ox “e 5 de s " d did po wae ya Fo RO TES APPS a PAS Ed A ci PU eT dey thet Sere Lundi 
ES = = AR IS aided A bi le P vola ib-Bids- T. " "RA ri E 2 «4 ted e e e r as r p — ppl adis pp T RARA nel d Na o a A JO ad id m p det el Spe ee 
— Ó—À >< > MAA ds de A e A s dius ¢ e A T - "» A r 4 P T pe ee pue eres ^s — M n EIU. dd "P a A AAA A dbi iim T el oi. dict e ANDA ROA A aA Pd 
=— : O Las o e e E —— ub M irn q ty tn é O TS e — T EN e. v - , E > pu " Rape E d alae pM AAA IT ap ei porno dpa por i adari inler diit PODIA TERRA A 
"=e € Q Lid enn mM T A Th e yig w b m $ T T T " owe s a P " NT. aad PT rar es PO ada PURA a d Porque rd A di a eT PP a e e d Pa a In rn?” aro” 
O === © chad ats poc A TS a iret quarto V. A add we ts Sad stad 2 ~ " E Ls dd » eo. wo v "a PE htt PA JDidureu ope PUT pp EE bd ipa pit a e o ae ae ESE 
= - c mE ARAS IIA o e S 8 "p CE. e Ai rs 2: » a? > E > Mr Dg A AO peau Sp d O e ita rad ad le radi A AE paie po io ay 
= — O PE e hdl d ri ST in "I AS han tap pa TT P wore. ‘YA PT P T T m ar " " r " suf pon P oer ape re ERE PARTE OPT A uam mt tom p" IN psu Sl pr A ato mp 
— NC AAA di cum Ti SEL a ees ed ore m A i 7 —— — > y , r 5 POWELL Pdl d erar Prep A AS pa a AE E are A rado ió O dc AA 
O = = = bet n A tl eaten o Vale id E ee xl VUL SV dedero d - : i i E —— , e * A A T PARA ea wr uar Mn tw EP add pipe uidi pd ras andit RR n 
iM S 00 > AAA rr OTE, E PUR diro: + Ez PE sd P « Y vem i da di o E rie qiie a o» den pr A ai yn saludan Pee Oc OD TS A aan 
E uto 909 m MY ie da pd O s m L dic" P 2 > a dy A y sue moa) une E ZA "PTT yd Pis Sept bey Fr ae PT ie aadi PT PLT e ah O dennis dla diee did pup eguiste aah pss pee 
e (O LLJ Pe e a ATT arki s rr o we dr LO rar & v r m T Pep » ME PE nd eh o ne AT A AA pep o A ipd PRA cio mei oco ede ui Ina dr eT 
Oo ) A NS a id A ik a A E "y 5 Th. z "PT r RA aT A did ARA T a PA Ed estimates ee’ "act inesse APIS AI add Pd 
P A NANA NDA edidi D dia ai — , E « à $ p > TL . "ur a " OT TE E aa ai " Dd ird ein dii ure da ditt pasen ai odii int i E 
a ~ O A aida e de de FE Vah > y R AAA E afro . » > PI aw d " PER a -T al A A al al PR ep rm AR a A MiB T ns margo dite pud npe m 
w= A A on tal bo ped APA a dd mec E irai pst e Mum p ow " gap oy to pS AA hadid A ST d pipes eb aed at EA Mairie pere ea a a a 
— : CN = i A ia de E Vv AAA t " " < PT e m o A rs ió aeta ppp id ui mg sis e A AA tai cti ARS di 
Q = O 2 RT rais "m TS $ "el "T "T 2 1 » p Py my" pe yr, V^ gt e 9 n pP Td dut des AS A p E dk aed E aia Eu Ls aeree T E ió aA 
> 1 A edam dipl tii b bodie "uem ea Pg E Y r E A P e r " P —Ó V eT a) bolder’ Pd AD a SN «Let we A A ddei RO A A ate aden petii nbn pera Pedir 
= > cm rada ie ath d E o ores A eid a E "m aT A E sue » PP I is ea deter di PR ADA hs A A ro A deee ieii ni A DO rogi ydp putos 
A A ii AT tii Pete Sa A TS ol eles oe e e “y ow "D ro " Pog > peso fF. P a e PR dale A dad PRTI E sueo tgr sra POIA A did il A A nip pA 
—— — E RRA e ch d Ld Dd uh ; "i reuera eon e x ” bos mov «t ne Ter TF Qum scm m, A PURA TD ipii d posed pr EA pedi drm AI pir ES pear aar erp rer tet ARPA Tee itid 
c pea im b bed ii y Peut O Lo ip ir dedi SAA e.c f » m » " sm. PS Pp wed of fede Me eT d ARA ÓN Y A san i PP PAN A O dd AAA ipod II ESAS 1, Aa Je Jr 
od lola ATA i ir der dri dom Lo Per SAI ih 5 d i e d TREE wx > 9 FE P rdi PA Pa A A cd deel pa pg A DES Y deii us utei v ac. aene Jared ertum Fe adel AN gal not ars A TERR RARA 
«T i EE iind PI od anda PA o Si Au Pda Pat FA r y NES O TE TO A o AAA Rd AA AAA AA SR hte A rie paa a E o Pg Jp poten 
dead ibd Oor aaia ASAS eq deg ITS rias. na Li AA ded : E Vw v A IT AA A A AS APART iii PTO be de non ad d A Ra Epoca 
A tee tiled AAA a tr iind PA b «ted T Alor Cole é - - s e P oo" P EYT $ PA a A i Pu A ERRATA a PRA a ee ad ee PA Lapel “mp. A anen nan nae nn sr d 
MOT A ett a ARI iuis A eid PRA ATA e tai M ld ME MESA r s "T "ET PR ATT e ry eid ITI i LU LER Ms d sae Cre d AEn Aere ee Pe arene ey Td acetic 
- ^vi gu.iio sat ud edu WI Pd, arl peti PA alias ddr AR DAA o od x ga . pen re per) e TRT pm AR ii A E A P CI T a PI AAA DY Pe aad qe th atl ee ee AA E qi ripe PR 
Vua al € id AT de e o ted fg B A e” E PETI. reoccur © SAF MT let he v nemo rdi PO bed fy aya ur an t NAAA AT e a Sr ER ERRATA dh nep 
mn hd pr e AAA lee + e 3 e e v ue O P Pr PR fois Mf OA porq mr dd AS daddy "o yA AAA IN eet’ A AE OAS 
x j y d : AE dnd rte A ee -A mid pa. 0 " > D T4 perpe rl aa anat 47 ot Fa Pede Te ar E b "dial di o PR id » A RAN ATA RE 
a : Ae ett yenrernr ety EEF OT a the E nad tl A A > ov r — rem uses sa PI mir EXE LL PRA Fag = PE ee bight P A rita I A RATE nn nn me rt 
A HEISE MMM SE A Lordi dii dita q e ads Mi T de ad tie t Ms A a A en uu e Y dd a T y PAF A a ai d T ET E RS hale PE de alld NE A dor dl RR ER AREA adn 
med a ile eel A Ati ee q e Ms Pe Ca ddia i ope Pate A ri 1 id a, d Ms lille e IES La de mi A ad LIT ad AS Pr d dul aie pedo iy Lange pep il O A A a 
QS pd nl iia misil: pape dl de hye rind hh oh es O SE. AD A aa lle Pur a wfar P IT fa? ate OX *w P B o gb POS O tm RPTE adie ROW i dei ins parere dda ped a PAR a ai uaa má yino men Ripe grim p A gt Ae gi 
LPS red gi pat ee EA Panier doe 1 e A NY i Mte cara rd de aie pos A O Edi d "ar "PEE peer ió PROA tal hata A ii A SPL YL a ys ai PE ls O en 
EE CR e e ADAE lindo ia atra A at he eae: SR uf. MM A oka Ed T ppt 4E EL PL do ir da A svp PP rl PERA Tg Pie i e R er m 
"n RON CA ds a AID CAOS p etn > — ^*^ £$ P parade E Y E del ATRAEN AAA dp dr RAP iit Mri LII rr Ie Ie PIE a e Rar petere agit rere 
. ds zm pee LAN ET auth due A A di AAA A a fh me aud y a . a 4 mie = » y "ew P ko oU re zp de A AA p e O ld P m A e M RAE rea rae 
pto o pet re p pe iride E te Itf 0 A O NA ne AAA dob y y e? A A w "TA m v PY E ads AA id Y he ae deeded unt at PE Pr dor gvor (3 aire rt on iwi adda e id pet praedi eut deii psit tii ep npe sna e 
igit phi hy dei e cipit ir id oiii a nl i bod i P o 9 A a d wo Aes ree we P r y dfe e P? we poe da dd E ri AS OY Ld a o dada aia A NR menace 
Y Caregen io TT AIOE N ED pNP Tn le das PLATS PT dull iid abd RT s AAA A e ak hie all os H T, s m á N wt AE aiai e sione 7 PPS abi tide oy PE id LRL ER O "a rond AR rd ATI A a ta PA teal AYER Et 
OL A trono A eb adhd E LIA i A AT ioc re E ied eT ot e die al " 1. oa T rl PA P A il PR a Dd AAA d Era As ed A et Rt eae cea eta 
Da ena nate et eee PT Tal d pud A P Rd AA a ed Sp rw made a aaah A el ¿Pon N pr < APA Nr PRES hs AAA at ae EA alc ad ail See ae crn ed rere Smetana 
ede. A aime tr phate a agp SO plied 6 MAREA A Me A rr e Pra die umm E E a e mI PETS a id er rr ras, PET T ib DEI A E alo a EA A e id LANDA rd E idi ahei A IR e 
: rome vus eed creen Icy wu Fu mv? : bu Mee A did dale PERS en Bes Wyle mt wb "T aa -o do dl A - n o Pim A dl, d OT d. uu eh, Duro Jes wort o n A UIDERI E DEI EET ea 
x oO pen d $ AA AO Ot Th ail el od PA Di St AA A «P kg " Mee wy A inti aid A AP E T T e e a rra id 04 A ee 
dol n awe erc w M Ar A a te ee A S adora PA ea P T" o e JN Td w^fu "Pf P "n feo amne "m em TS A Ag in in dla py... AA A PAS A ra IP. dd pp E me 
Se untar dp AAA o de baie. pon fe Ws Bu M dca o de TTE a Y PT oet yh Jj. foire t v! gl, ror Aw A A id E pd ARI SNA fies A iai A tr aa 
an ri brin : e Tad lp TRE M Id A —— SARA T T Pra P cd 7 o PS ee a ake ee dC andes aetas rg cuti er i nd Rule ad ow" Vedi o Mir ad IH P Pronet rre A qien t gi amer 
A LS atre oii din a? rs era LP diio «P IS "vq i vare ad ED cm a fa porque» aa PP O ANN Le A A ar anne a ol Pr ie MATE quiae iat oput eE rier » 
a rn T a s S Cos RIA e aue RRA o qr rico. a RS le Y Pos Y w^ rubet pM PE or it PEREA det NT ie adi dentate d A da yon nn ci it PTS A 
A aci E pgs = uie me pr j ma PA NA GUI NAAA a ie DA PUNA " " AER o dt A ets A ee slab Bid A A Pr ii ipai a dia pis A naers ps 
Te oie aapear e V is eiie S t A E a a Saaai 0-4 APA ra aa ai ar 4 "o Tui. y A o TE qa ter PURA a y ii EA O A e PESA artus A nd tr aah ee ti a La 
o UA a d rd re P Tis imd y i 1 ya T ei dedi pu A AS 4 i ETE a i d RI. a adi P» qat. flc fare Pr i PEA AD NS Po e del RIRS A pr t diii dp did re TL) okie dell pp eaae TE a diea dante parent e o a por eco A ib E a a pem 
Pra a ir we y : dd opt role oy OY she do o 2L ge em A) Haw T t e "P n» pe Sir A AM ad ater’ E de RA E A EA Pr TA E dic be etie eg tpe AUN A io dn Leg eii dnt 
A A dt dee perdat] play ph s h O NA A "mE ae ae PA A ¿y AAA A A suis PD dl pArA ael Le ATCP pe ON A PS RAE la A dd TR Ap. Ores E rd M doi mas pera TU gonna r tee, 
rd qt e dio piso ; debite | 4 Abd I eon xn ete yA bas A. i2. 2 pido o Lad AAA apod PYR TES Da do AS PR A Ln dd END ra! cepi pP edid ID e P rag «i-r puppim 4i 
O ao ml e M EE arido n iei A Meca ] AA e AA A Let A A Dd quei dere Y A aba TET Ce nT a a aa eit Bey PA a AER lin A A i ane 
RS 5X. pedia md E e A re ems uw E . Ww A MAS qe dr d a Pieds a (s , ppe m ds E ad PARTS a h PP OT i A AR I PAEA ei TEC E EE p eee tee t lr ts 
AMAS pac: da pra dod Are zd Ib rii iri AM A dl riri pd Ar P ARA e RA y VE PE D s lr e a IS Ais a ws r A T eaa A diii pS nta a ett dit 
A T secre i D Ceme COT MU i bb O debi i didi ; m ar quy rds quip "I TIP DL e ee di A yv TU. E OUI Leder rene ar nd capable idi d arp b ene Arr eee e ERO goma 
gato id Mel ple - d ^a Vie wlan PA uit a AD dno ri o d M ed a A A AT s is PP BE SON O alae "M A bis T iid mn > or t y na itin etos E i hd epa 7 I e 
do ipid A rh viewers. hh v y CAMA AMAIA PAPAS 9 LM di PP Y Ys n "td. qued a a ON ST di o n d A Eie eap Pantech the RE rrr ier er rA 
Pide o ope apli) A biie Mc a M A ; hdr pd d e al AAA at do chen e "LN "s $e dr i a di eot Pe pedo idit rrt AP Pardi oar PD aai et a et ala ed een Pe apap E eto 
Ta ea aj V UT O DIN PA eue a a ter dati beet dd eit! A e q A ad De AMO eb + rw ot e, Ore ea di o y 4 y Pe O pup OR wh EPA Lotus Penn Ped PA AA al EAS E ió ndn A A NN a A al imd P a 
fr ii E A dal LL ibid Loic hy aa bl Y IA adds E "wp ec paeem fedet ES "A Pe AAA 22 de E- $ +f y AN gars ¢ LC > ¿Ar a jarra ARAN PAR Aum p Vi an EPA INDIO p et ts A adenine p PA ai poet i 
Je vp; e Y tdo ido dide: A LA ad DAA td eh ot 4 Set 2,1 uie. A "e ep m ip ET AA A etn dr id pe tt CAN rae Pb Sp tee AL ce ende e ay 
: A A e o A MA oq o qe T ed d a dic a a rap dr da A UI RAN MOE ED A A ole A A ori eir A A TNT a EE 
aye do La a? ro ind IO A - fiM ima wA gau Or V^ DP PL i E Ld ded no eee " v 2 Rd de A E, e AS (ufo Ait Tas p d pad rad APR ee aha A ARCA o qm rc 
O AA AA ALÍ NR A es Ka A VASA Ti y AAA CEPAS m H ERA om ates de T nd A edipi por rd deos dede edd "m ALAR dde AAA E id SIL rate toes deena eee 
LAPORTE CWE PA RN one A A bela TR e a A AT “oe Wyre —" eg dian hurt ew eel S Pie al waded Ape Lor EA dad Ebo pr n a phe near agr i md A rre 
AAA cedo UE, idi th de tte te abt On van 6 aol ar t E ide d lad iio 4 AOS A nud b dry rade SA Id Pret bi PRA A t pd A A ieii Fry a phan A hag ion lpn 
reto a ihr 4 efvawtt iii uq qo v d Adult d^ And ao A uou ES AAA Lea A PT dir PEATE et a AAA tdo NAIL rl ra ir ió nen OTT on abel detected 
A A ls a Ferte e A AAA AA PP ah Aus Fem equo ie tlh 4 A PR (CET E aud tothe ed RAR EDI EA o drip t AC are rigat Mi A ede diruit PAA 
A IN Neq dod rtr d vede dodo e ane > eae th en y e. I. PES OLA BL PIT OTE A id a ve M sat PA ERARIO e trial DA A, Ls Pd 
AA 4 MAA ri » A A 4 AP A AO e a ro PRA e LM dp PREPA dod ER dd "UTI Ada pope an O id AS d rd OI PAST caiga 
AA ina er A aja wes e A ad » a i " PU T T E lere A APRA did, ds AS do Roa a d AP DAE AAAA A AT an P 
AA Ad ip ards bE TP. E q f 3 i a A TS at oe y PEPP Yu ME di a ahd poe ds tid alii Paar ial dl ti eel dal pe OM OY et Sate a OM 
Or «PU Fen mi da > ex A Uria erwin tie i " patct aimo we RESTE ance PARA td d A ald OP Thay a-ha OA drid A eiii RON E oblea ab en e 
ARAS TNA d Lil TA RA r A NA SA A REA tae dE a ii sov itat e v doy Fa Den eps Praia at P ipt re A rti redd e t afer prete pati Se 
bL aa w we a L3 chou Ib Gaii dee A i m D Lieb MC ome Da i. Ae dedu E LO need yk PPT ST Oe See areal urs ie O o e Piet oi Il ld nii 
de AS seh eal Bone T V e Lv rot on PA A C Ta PESA e PO edd pin ete deli IRAE AA d a E ea A > 
f T E TY VES LENA aie AAA T ^ p oc Mf oop CEPOT ALEF, TS PE no Sin Y NI PL MEE AE AE A TELE repeti 
A 1 PE AA IHE CO E RM n ida rede wa v aA i e ef ee Qm raat pit qe 3 T bru Dy gn Imt O rn ABI qd P CARTER dd mer LAS A E A ippa ri pr? 
Viera ird e ntaa Re PAR MS Le A Ped OS a E p M e IAEA e E pt uy» i HE. 7 LA TELE oh P EH "T M. ZO A E TIAE SERES PAT reed CL e: pain 3 die hei Php rtg peri 
nd dae RAE da Pih d A A v.a yn VY t FOIE IS PEC e nando vn ete E a alae ht te .. e A ERA UA [ATA E O ire A pee A e A Mr Mt # A pn REO a e tt 
A i i id A Al Em pan - NAAA ee RN e A me 7 a e ai ARCE dd 3ALUI- T JP" Y A a n PA y E oodd PAS TTE A AAA Mou AUTE ad IL 2» e E c 
siis] piece dern cd ddr adr pieni der er nO 4 VaL tin A NC I Jae Uii o 4€ PARA o A A IR NN ANS mL po ee E A AA pde dan 0 2 ad doy eis jan y e ARAS A dbp SL Da bl PE Meca E aa A roa ere A 
iaaa ar TTT A D Balhae Ti b - LI AAA pp ET LL M LA XA pm n a A Py eS TM nv P B QE >». ms ara GPRS A AI Ana nne ate REE PELE Pe Ope o aget mop a RI ia e de lan e rd a adi ud Tan 
PE ie y pe E read Lr eddie 2 ot he EA ANDAN DAA A E A id RA AL” A O TA ATA AA to A w, fe. Ma A IAEA ae ee A GIA AAA Ty De d s AIO, D va ei I E II IER Ev pee ARI PT a ad E 
qe b Maé NR Ay M il p UN TI a Ls CM av Le MP rabo dado d eh. That PRIN I ree art Ate: GA IN xp ec 20 a li + PeT ur Td ad oper ide T s ptt or pre e IES pie Fe bd » 
io dhe Ede « y VAN P3 d eA aL e d e len fg p EP dece T s 9^ v S ana ed Mim ELA ARABIA hdd TEV Ab IA E E A ARO aea 
g - dA itio dye ah MATA AA adi A a MITT tae « rad A IP A AS ipei AS dpi ECL A A AR NA ES ado pe 
d Ul ^ eR Te 44 wFibisa atq. E IWUE ¿Po Y nt ae PS £o rer» 4 f. -0 LC Eq A o HE "HS TOLL SA po) ` hee, O o A aid FI a si PAY PO elie ere A A ssc dd pi Lan 
j AR TA AAA MEUS a di^ M MEL ded rep a TI al Mp pr AA ered MU d ini ap ER A dd AS di ry A a e 
lr frio Y de I Ing UA IS TE " er vr iie depart XY tats te 7 joi Fas PURA It p ETT aid ees AA AEA Ode EAS se fato A alphabet 
" AMO vet AL > Fl a be quan Pl oon o NR , A TS pi itd y o OE ha ad Korm ha de TT E ie is A ero gree 
AA Le 11 PRATS A A capo AL pu PRE A ed A p fried NO P da ae eae been a pie te ae 
> A IA qu ut wo P Oprah PST aiu ee rt Ne errr ep ra fics 
had taro OL PEE a) Vie RAT 5 A i PT add pr A O a alae pene TL rd 
= APM A A A dal O iban. di A bane PADIERNA PA es eid 
ap dps a a EET MEL Tad i Mea eode arre Ie 
JOE EI A ARAN iip 
A A 





